Hi Willy
2015-09-29 13:59 GMT+02:00 Willy Tarreau <[email protected]>:
> Hi Joris,
>
> On Tue, Sep 29, 2015 at 08:56:54AM +0200, joris dedieu wrote:
>> > - TCP actions: "silent-drop". Finally it got merged as the actions
>> > registration mechanism made it a no-brainer. It works like a deny
>> > except
>> > that it tries to prevent the TCP RST from reaching the client, so
>> > that's
>> > quite efficient against certain bots and scripts as their connections
>> > remain established on their side only. It works on Linux and could
>> > possibly work on other systems (not tested).
>>
>> I can confirm that silent-drop is not working as expected on FreeBSD
>>
>> listen drop
>> bind 80.247.233.40:22222
>> tcp-request connection silent-drop
>>
>> 08:31:31.324885 IP 82.236.20.129.60620 > 80.247.233.40.22222: Flags
>> [S], seq 1048805770, win 29200, options [mss 1460,sackOK,TS val
>> 14874937 ecr 0,nop,wscale 7], length 0
>> 08:31:31.324903 IP 80.247.233.40.22222 > 82.236.20.129.60620: Flags
>> [S.], seq 510555620, ack 1048805771, win 65535, options [mss
>> 1460,nop,wscale 6,sackOK,TS val 1100790208 ecr 14874937], length 0
>> 08:31:31.367359 IP 82.236.20.129.60620 > 80.247.233.40.22222: Flags
>> [.], ack 1, win 229, options [nop,nop,TS val 14874946 ecr 1100790208],
>> length 0
>> 08:31:31.367425 IP 80.247.233.40.22222 > 82.236.20.129.60620: Flags
>> [F.], seq 1, ack 1, win 1040, options [nop,nop,TS val 1100790250 ecr
>> 14874946], length 0
> (...)
>> [F.], seq 1, ack 1, win 1040, options [nop,nop,TS val 1100817450 ecr
>> 14874946], length 0
>> 08:32:22.886834 IP 82.236.20.129.60620 > 80.247.233.40.22222: Flags
>> [P.], seq 1:7, ack 1, win 229, options [nop,nop,TS val 14887826 ecr
>> 1100790208], length 6
>> 08:32:22.886850 IP 80.247.233.40.22222 > 82.236.20.129.60620: Flags
>> [R], seq 510555621, win 0, length 0
>
> Thanks for your feedback. The fact that the FIN is retranmsmitted like
> this tends to confirm that the TTL setting works. However I feel quite
> concerned about the fact that a FIN was emitted instead of a reset. I
> fear that SO_LINGER doesn't work as expected which is much more of a
> problem if that happens on the server side too when closing a server
> connection!
>
> Could you please run the same test under strace/truss/whatever you find
> equivalent on your platform ?
>
> I'd be interested in seeing each syscall status.
kevent(3,0x0,0,{},5,{1.000000000 }) = 0 (0x0)
kevent(3,0x0,0,{0x4,EVFILT_READ,0x0,0,0x1,0x0},5,{1.000000000 }) = 1 (0x1)
accept(4,{ AF_INET 80.247.233.242:48068 },0x7fffffffe804) = 5 (0x5)
fcntl(5,F_SETFL,O_NONBLOCK) = 0 (0x0)
recvfrom(5,0x801407000,16384,0x20080,0x0,0x0) ERR#35 'Resource
temporarily unavailable'
setsockopt(0x5,0x0,0x4,0x48668c,0x4,0x0) = 0 (0x0)
setsockopt(0x5,0x6,0x1,0x48668c,0x4,0x0) = 0 (0x0)
accept(4,0x7fffffffe808,0x7fffffffe804) ERR#35 'Resource
temporarily unavailable'
shutdown(5,SHUT_WR) = 0 (0x0)
close(5) = 0 (0x0)
Has you can see it doesn't looks great.
Joris
>
> Thanks,
> Willy
>
