Re: [ANNOUNCE] haproxy-1.6-dev6

[Willy Tarreau]

Hi Joris,

On Tue, Sep 29, 2015 at 08:56:54AM +0200, joris dedieu wrote:
> >   - TCP actions: "silent-drop". Finally it got merged as the actions
> >     registration mechanism made it a no-brainer. It works like a deny except
> >     that it tries to prevent the TCP RST from reaching the client, so that's
> >     quite efficient against certain bots and scripts as their connections
> >     remain established on their side only. It works on Linux and could
> >     possibly work on other systems (not tested).
> 
> I can confirm that silent-drop is not working as expected on FreeBSD
> 
> listen drop
>         bind 80.247.233.40:22222
>         tcp-request connection silent-drop
> 
> 08:31:31.324885 IP 82.236.20.129.60620 > 80.247.233.40.22222: Flags
> [S], seq 1048805770, win 29200, options [mss 1460,sackOK,TS val
> 14874937 ecr 0,nop,wscale 7], length 0
> 08:31:31.324903 IP 80.247.233.40.22222 > 82.236.20.129.60620: Flags
> [S.], seq 510555620, ack 1048805771, win 65535, options [mss
> 1460,nop,wscale 6,sackOK,TS val 1100790208 ecr 14874937], length 0
> 08:31:31.367359 IP 82.236.20.129.60620 > 80.247.233.40.22222: Flags
> [.], ack 1, win 229, options [nop,nop,TS val 14874946 ecr 1100790208],
> length 0
> 08:31:31.367425 IP 80.247.233.40.22222 > 82.236.20.129.60620: Flags
> [F.], seq 1, ack 1, win 1040, options [nop,nop,TS val 1100790250 ecr
> 14874946], length 0
(...)
> [F.], seq 1, ack 1, win 1040, options [nop,nop,TS val 1100817450 ecr
> 14874946], length 0
> 08:32:22.886834 IP 82.236.20.129.60620 > 80.247.233.40.22222: Flags
> [P.], seq 1:7, ack 1, win 229, options [nop,nop,TS val 14887826 ecr
> 1100790208], length 6
> 08:32:22.886850 IP 80.247.233.40.22222 > 82.236.20.129.60620: Flags
> [R], seq 510555621, win 0, length 0

Thanks for your feedback. The fact that the FIN is retranmsmitted like
this tends to confirm that the TTL setting works. However I feel quite
concerned about the fact that a FIN was emitted instead of a reset. I
fear that SO_LINGER doesn't work as expected which is much more of a
problem if that happens on the server side too when closing a server
connection!

Could you please run the same test under strace/truss/whatever you find
equivalent on your platform ?

I'd be interested in seeing each syscall status.

Thanks,
Willy