[tproxy] A connection to a server gets long time (3 seconds) (tproxy4)
박영호
youngpumpkin at gmail.com
Thu Sep 11 15:30:43 CEST 2008
I has a problem with tproxy4 on linux kernel 2.6.24.7
the connection to a server(172.16.100.232) with foreign address(10.0.3.232)
get long time(3 seconds)
because a syn packet re-sent by tproxy server.
(syn retry time may be 3-seconds)
(first web server syn-ack packet may be ignored by tproxy.)
what I do for this problem?
below is the result of server-side tcpdump .
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
22:23:45.739972 IP 10.0.3.232.3845 > 172.16.100.142.http: S
3133342350:3133342350(0) win 5840 <mss 1460,sackOK,timestamp 4475642
0,nop,wscale 9>
22:23:45.744947 IP 172.16.100.142.http > 10.0.3.232.3845: S
1184231461:1184231461(0) ack 3133342351 win 5792 <mss 1460,sackOK,timestamp
184168973 4475642,nop,wscale 7>
22:23:48.740436 IP 10.0.3.232.3845 > 172.16.100.142.http: S
3133342350:3133342350(0) win 5840 <mss 1460,sackOK,timestamp 4476392
0,nop,wscale 9>
22:23:48.740453 IP 172.16.100.142.http > 10.0.3.232.3845: S
1184231461:1184231461(0) ack 3133342351 win 5792 <mss 1460,sackOK,timestamp
184169723 4475642,nop,wscale 7>
22:23:49.537982 IP 172.16.100.142.http > 10.0.3.232.3845: S
1184231461:1184231461(0) ack 3133342351 win 5792 <mss 1460,sackOK,timestamp
184169923 4475642,nop,wscale 7>
22:23:49.538478 IP 10.0.3.232.3845 > 172.16.100.142.http: . ack 1 win 12
<nop,nop,timestamp 4476591 184169923>
22:23:49.538716 IP 10.0.3.232.3845 > 172.16.100.142.http: P 1:6(5) ack 1 win
12 <nop,nop,timestamp 4476591 184169923>
22:23:49.538730 IP 172.16.100.142.http > 10.0.3.232.3845: . ack 6 win 46
<nop,nop,timestamp 184169923 4476591>
22:23:49.539463 IP 172.16.100.142.http > 10.0.3.232.3845: P 1:98(97) ack 6
win 46 <nop,nop,timestamp 184169923 4476591>
22:23:49.539509 IP 172.16.100.142.http > 10.0.3.232.3845: F 98:98(0) ack 6
win 46 <nop,nop,timestamp 184169923 4476591>
22:23:49.539793 IP 10.0.3.232.3845 > 172.16.100.142.http: . ack 98 win 12
<nop,nop,timestamp 4476591 184169923>
22:23:49.540470 IP 10.0.3.232.3845 > 172.16.100.142.http: F 6:6(0) ack 99
win 12 <nop,nop,timestamp 4476591 184169923>
22:23:49.540483 IP 172.16.100.142.http > 10.0.3.232.3845: . ack 7 win 46
<nop,nop,timestamp 184169923 4476591>
here is the result of lsmod
bash-3.1# lsmod
Module Size Used by Not tainted
iptable_nat 5764 1
nf_nat_sip 4352 0
nf_nat_h323 6400 0
nf_nat_pptp 3200 0
nf_nat_proto_gre 2436 1 nf_nat_pptp
nf_nat_ftp 2944 0
nf_nat 15020 6
iptable_nat,nf_nat_sip,nf_nat_h323,nf_nat_pptp,nf_nat_proto_gre,nf_nat_ftp
xt_TPROXY 2688 1
xt_socket 2944 1
xt_MARK 2304 1
nf_tproxy_core 3712 2 xt_TPROXY,xt_socket,[permanent]
iptable_mangle 2560 1
xt_CONNMARK 2560 0
iptable_filter 2432 1
ip_tables 10452 3 iptable_nat,iptable_mangle,iptable_filter
nf_hipac 156168 0
noarp 20780 0
e100 29964 0
e1000 170688 0
iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http
TPROXY redirect 0.0.0.0:80mark 0x1/0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080911/68ed6d19/attachment.htm
More information about the tproxy
mailing list