Re: AW: transparent mode -> chksum incorrect

[matei marius]

 


haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org>

Build options :
  TARGET  = linux26
  CPU     = generic
  CC      = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing 
-Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

00000017:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=000d from 
[172.17.232.233:54117] ALPN=<none>
00000018:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=0027 from 
[172.17.232.233:54118] ALPN=<none>
00000017:bk_pool_proxy_172_17_232_232_3128.clicls[adfd:adfd]
00000017:bk_pool_proxy_172_17_232_232_3128.closed[adfd:adfd]
00000018:bk_pool_proxy_172_17_232_232_3128.clicls[adfd:adfd]
00000018:bk_pool_proxy_172_17_232_232_3128.closed[adfd:adfd]
00000019:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=000d from 
[172.17.232.233:54119] ALPN=<none>
0000001a:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=0027 from 
[172.17.232.233:54120] ALPN=<none>


And the question remains.Why is not working from a client from the same IP 
class with 172.17.232.x. ?

thanks

--Marius


==============================================================

    On Thursday, March 22, 2018, 1:07:09 PM GMT+2, Mathias Weiersmüller 
<ma...@weiersmueller.com> wrote:  
 
 Hi Marius,

your NIC is probably doing the TCP checksum calculation (called « TCP 
offloading»). The TCP/IP stacks therefore sends all outbound TCP packets with 
the same dummy checksum (in your case: 0x2a21) to the NIC driver. This saves 
some CPU cycles.

Check your TCP offloading settings using:
/sbin/ethtool -k eth0

Disable TCP Offloading using:
sudo /sbin/ethtool -K eth0 tx off rx off

In other words: You have no problem, it's just tcpdump which thinks there is a 
TCP checksum problem. If you want to work around this, use the following 
tcpdump option:
-K
      --dont-verify-checksums
              Don't attempt to verify IP, TCP, or UDP checksums.  This is 
useful for interfaces that perform some or all
              of those checksum calculation in hardware; otherwise, all 
outgoing TCP checksums will be flagged as bad.

Cheers

Mathias

==============================================================

Von: matei marius <mat.mar...@yahoo.com> 
Gesendet: Donnerstag, 22. März 2018 11:50
An: HAproxy Mailing Lists <haproxy@formilux.org>
Betreff: transparent mode -> chksum incorrect


Hello
I'm  trying to configure haproxy in transparent mode using the configuration 
below:

The backend servers have as default gateway the haproxy IP (172.17.232.232)

frontend fe_frontend_pool_proxy_3128
        timeout client 30m
        mode tcp
        bind 172.17.232.232:3128 transparent
        default_backend bk_pool_proxy_3128

backend bk_pool_proxy_3128
        timeout server 30m
        timeout connect 5s
        mode tcp
        balance leastconn
        default-server inter 5s fall 3 rise 2 on-marked-down shutdown-sessions
        source 0.0.0.0 usesrc clientip
        server sibipd-wcg1 172.17.232.229:3128 check port 3128 inter 3s rise 3 
fall 3
        server romapd-wcg2 172.17.32.80:3128 check port 3128 backup inter 3s 
rise 3 fall 3 weight 10 source 0.0.0.0
        option redispatch

I have these iptables rules on the HAProxy server
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
    

This setup is working perfectly from any IP class other than 172.17.232.x.
        
When I try to access the service from the same IP class with haproxy I see the 
packets having incorrect checksum .

tcpdump -i eth0 -n  host 172.17.232.229 and host 172.17.232.233 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 
bytes


12:37:21.741935 IP (tos 0x0, ttl 64, id 63601, offset 0, flags [DF], proto TCP 
(6), length 60)
    172.17.232.233.34012 > 172.17.232.229.3128: Flags [S], cksum 0x2a21 
(incorrect -> 0xf5a2), seq 111508051, win 29200, options [mss 1460,sackOK,TS 
val 573276706 ecr 0,nop,wscale 7], length 0
12:37:21.743005 IP (tos 0x0, ttl 64, id 53770, offset 0, flags [DF], proto TCP 
(6), length 60)
    172.17.232.233.34014 > 172.17.232.229.3128: Flags [S], cksum 0x2a21 
(incorrect -> 0xdbe0), seq 1250971688, win 29200, options [mss 1460,sackOK,TS 
val 573276706 ecr 0,nop,wscale 7], length 0

What am I doing wrong?    
    
Thanks
Marius