Problem nekterych lokaci se stahovanim obrazku z webu
Vladimir Macek
macek na sandbox.cz
Čtvrtek Duben 22 13:43:53 CEST 2010
On 21.4.2010 13:31, Vladimir Macek wrote:
> Log presne stejne transakce na vnejsim rozhrani br0 hostitele (jsou
> tam jeste bridgovane virtualy):
> http://sandbox.cz/~tuttle/tmp/spatne-hostitel.txt Zde je videt, ze
> dochazi k fragmentaci dle MTU.
A nejen ta fragmentace je tam videt. :( Je zrejme, ze hostitel mi
zapomina nektere pakety odchozi z virtualniho serveru SNATovat! Tcpdump
na vnejsi rozhrani ukazuje, ze se tak obcas skutecne deje:
Tzn. smerem ke klientovi se obcas v ramci jednoho spojeni (stejny port
klienta) stridaji pakety se src=87.236.197.188 a ze src=192.168.100.2
(interni adresa virtualniho serveru v ramci hostitele). To je fatalni chyba.
Nevite nekdo, co s tim? Jak to ladit?
Hostitel:
# ifconfig
br0 Link encap:Ethernet HWaddr 00:15:17:18:1a:68
inet addr:87.236.197.188 Bcast:87.236.197.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:235206037 errors:0 dropped:0 overruns:0 frame:0
TX packets:259528789 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:90088706844 (83.9 GB) TX bytes:280274051197 (261.0 GB)
eth0 Link encap:Ethernet HWaddr 00:15:17:18:1a:68
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:321628278 errors:0 dropped:0 overruns:0 frame:0
TX packets:263566117 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:114755041862 (106.8 GB) TX bytes:284872907410 (265.3 GB)
Base address:0x2020 Memory:b8820000-b8840000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:83544 errors:0 dropped:0 overruns:0 frame:0
TX packets:83544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:469567889 (447.8 MB) TX bytes:469567889 (447.8 MB)
virbr0 Link encap:Ethernet HWaddr 00:ff:46:8a:d9:88
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:256196574 errors:0 dropped:0 overruns:0 frame:0
TX packets:209914908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:276062922697 (257.1 GB) TX bytes:90860956758 (84.6 GB)
virbr1 Link encap:Ethernet HWaddr 00:ff:84:41:f8:91
inet addr:192.168.101.1 Bcast:192.168.101.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3289579 errors:0 dropped:0 overruns:0 frame:0
TX packets:3146953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:580044841 (553.1 MB) TX bytes:605125619 (577.0 MB)
virbr2 Link encap:Ethernet HWaddr 6a:e6:84:57:b1:7a
inet addr:192.168.102.1 Bcast:192.168.102.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vnet0 Link encap:Ethernet HWaddr 00:ff:46:8a:d9:88
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:73987484 errors:0 dropped:0 overruns:0 frame:0
TX packets:62253711 errors:0 dropped:0 overruns:38 carrier:0
collisions:0 txqueuelen:500
RX bytes:77514410040 (72.1 GB) TX bytes:26886746066 (25.0 GB)
vnet1 Link encap:Ethernet HWaddr 00:ff:84:41:f8:91
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3289589 errors:0 dropped:0 overruns:0 frame:0
TX packets:4469949 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:626098035 (597.0 MB) TX bytes:673922821 (642.7 MB)
vnet2 Link encap:Ethernet HWaddr 00:ff:84:52:7a:c3
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4367873 errors:0 dropped:0 overruns:0 frame:0
TX packets:105903783 errors:0 dropped:0 overruns:508462 carrier:0
collisions:0 txqueuelen:500
RX bytes:3504145747 (3.2 GB) TX bytes:21280240577 (19.8 GB)
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.001517181a68 no eth0
vnet2
virbr0 8000.00ff468ad988 yes vnet0
virbr1 8000.00ff8441f891 yes vnet1
virbr2 8000.000000000000 yes
# iptables -t nat -nvL (PREROUTING mirne cenzurovan)
Chain PREROUTING (policy ACCEPT 7349K packets, 635M bytes)
pkts bytes target prot opt in out source
destination
4036K 212M DNAT tcp -- * * 0.0.0.0/0
87.236.197.188 to:192.168.100.2
12309 1602K DNAT udp -- * * 0.0.0.0/0
87.236.197.188 to:192.168.100.2
42521 3550K DNAT icmp -- * * 0.0.0.0/0
87.236.197.188 to:192.168.100.2
Chain POSTROUTING (policy ACCEPT 4092K packets, 218M bytes)
pkts bytes target prot opt in out source
destination
1767K 120M MASQUERADE all -- * br0 192.168.0.0/16
0.0.0.0/0
0 0 MASQUERADE all -- * eth0 192.168.0.0/16
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4631 packets, 297K bytes)
pkts bytes target prot opt in out source
destination
Druhy MASQUERADE jsem pridal dnes, abych si overil, ze to nemuze nejak
"tect" kolem br0 na eth0. Ale i po dalsim testu z Milevska je tam porad
nula, takze tim to neni. Cetl jsem, ze MASQUERADE pro statickou IP
adresu moc vhodne neni, ale pochybuju, ze to bude pricina.
Conntrack neni preplneny, ale i kdyby byl, stejne by to ztezi ovlivnilo
prostredek spojeni.
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
531
--
\//\/\ : Vladimir Macek : http://macek.sandbox.cz : +420 608 978 164
Další informace o konferenci Linux