Re: ISNs and 2.6.22, Was: Re: haproxy & linux firewall (netfilter)

On Sat, 20 Oct 2007, Krzysztof Oledzki wrote:

>
>
> On Sat, 20 Oct 2007, Willy Tarreau wrote:
> <CUT>
>
>>>> What is very strange is that linux uses random increments, so your ISNs
>>>> should not wrap in a matter of a few seconds.
>>>
>>> Good point. I need to investigate this.
>>
>> netcat is very convenient for such tests. It's easy to bind it to a
>> source port for consecutive tests while you run tcpdump in the background :
>>
>> $ echo bla | nc -p 1234 192.168.1.2 80
>> $ echo bla | nc -p 1234 192.168.1.2 80
>>
>> Also, please try this with tcp_timestamps enabled and disabled to see if it
>> changes anything.
>
> Interesting... :|
>
> 2.6.20:
> 18:52:33.558379 IP 192.168.0.33.3333 > 212.77.100.101.80: S
> 3708509816:3708509816(0) win 5840 <mss 1460,sackOK,timestamp 1884090256
> 0,nop,wscale 1>
> 18:52:33.882129 IP 192.168.0.33.3333 > 212.77.100.101.80: S
> 3708833567:3708833567(0) win 5840 <mss 1460,sackOK,timestamp 1884090580
> 0,nop,wscale 1>
> 18:52:34.084000 IP 192.168.0.33.3333 > 212.77.100.101.80: S
> 3709035437:3709035437(0) win 5840 <mss 1460,sackOK,timestamp 1884090782
> 0,nop,wscale 1>
>
> 2.6.21:
> 18:58:36.074969 IP 192.168.0.66.3333 > 212.77.100.101.80: S
> 110585153:110585153(0) win 5840 <mss 1460,sackOK,timestamp 112007046
> 0,nop,wscale 5>
> 18:58:36.440084 IP 192.168.0.66.3333 > 212.77.100.101.80: S
> 110950271:110950271(0) win 5840 <mss 1460,sackOK,timestamp 112007412
> 0,nop,wscale 5>
> 18:58:36.830141 IP 192.168.0.66.3333 > 212.77.100.101.80: S
> 111340328:111340328(0) win 5840 <mss 1460,sackOK,timestamp 112007802
> 0,nop,wscale 5>
>
> 2.6.22:
> 18:59:34.525097 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 3303295586:3303295586(0) win 5840 <mss 1460,sackOK,timestamp 1111842
> 0,nop,wscale 6>
> 18:59:34.942104 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 3720303240:3720303240(0) win 5840 <mss 1460,sackOK,timestamp 1112259
> 0,nop,wscale 6>
> 18:59:35.412229 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 4190427367:4190427367(0) win 5840 <mss 1460,sackOK,timestamp 1112729
> 0,nop,wscale 6>
>
> 2.6.22+tcp_timestamps=0:
> 19:00:38.285554 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 2639244549:2639244549(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
> 19:00:39.448675 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 3802363348:3802363348(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
> 19:00:43.003850 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 3062574559:3062574559(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
> 19:00:45.950863 IP 192.168.0.7.3333 > 212.77.100.101.80: S
> 1714619373:1714619373(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
>
> So it seems that ISNs are not randomly incremented but rather randomly
> generated. Adding netdev#vger.kernel.org to the CC list.

Eh, I was little to hurry this time. There were not randomly generated but incremented with to big value. This patch fixes my problem:

http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=queue-2.6.22/fix-tcp-initial-sequence-number-selection.patch;h=05b9167d68ecde1e6088f58c55e2906b768420ed;hb=HEAD

Looking forward for a next -stable release. ;)

Best regards,

                                 Krzysztof Olêdzki Received on 2007/10/20 19:23