haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org>
Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
-Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
00000017:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=000d from
[172.17.232.233:54117] ALPN=<none>
00000018:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=0027 from
[172.17.232.233:54118] ALPN=<none>
00000017:bk_pool_proxy_172_17_232_232_3128.clicls[adfd:adfd]
00000017:bk_pool_proxy_172_17_232_232_3128.closed[adfd:adfd]
00000018:bk_pool_proxy_172_17_232_232_3128.clicls[adfd:adfd]
00000018:bk_pool_proxy_172_17_232_232_3128.closed[adfd:adfd]
00000019:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=000d from
[172.17.232.233:54119] ALPN=<none>
0000001a:fe_frontend_pool_proxy_172_17_232_232_3128.accept(0005)=0027 from
[172.17.232.233:54120] ALPN=<none>
And the question remains.Why is not working from a client from the same IP
class with 172.17.232.x. ?
thanks
--Marius
==============================================================
On Thursday, March 22, 2018, 1:07:09 PM GMT+2, Mathias Weiersmüller
<ma...@weiersmueller.com> wrote:
Hi Marius,
your NIC is probably doing the TCP checksum calculation (called « TCP
offloading»). The TCP/IP stacks therefore sends all outbound TCP packets with
the same dummy checksum (in your case: 0x2a21) to the NIC driver. This saves
some CPU cycles.
Check your TCP offloading settings using:
/sbin/ethtool -k eth0
Disable TCP Offloading using:
sudo /sbin/ethtool -K eth0 tx off rx off
In other words: You have no problem, it's just tcpdump which thinks there is a
TCP checksum problem. If you want to work around this, use the following
tcpdump option:
-K
--dont-verify-checksums
Don't attempt to verify IP, TCP, or UDP checksums. This is
useful for interfaces that perform some or all
of those checksum calculation in hardware; otherwise, all
outgoing TCP checksums will be flagged as bad.
Cheers
Mathias
==============================================================
Von: matei marius <mat.mar...@yahoo.com>
Gesendet: Donnerstag, 22. März 2018 11:50
An: HAproxy Mailing Lists <haproxy@formilux.org>
Betreff: transparent mode -> chksum incorrect
Hello
I'm trying to configure haproxy in transparent mode using the configuration
below:
The backend servers have as default gateway the haproxy IP (172.17.232.232)
frontend fe_frontend_pool_proxy_3128
timeout client 30m
mode tcp
bind 172.17.232.232:3128 transparent
default_backend bk_pool_proxy_3128
backend bk_pool_proxy_3128
timeout server 30m
timeout connect 5s
mode tcp
balance leastconn
default-server inter 5s fall 3 rise 2 on-marked-down shutdown-sessions
source 0.0.0.0 usesrc clientip
server sibipd-wcg1 172.17.232.229:3128 check port 3128 inter 3s rise 3
fall 3
server romapd-wcg2 172.17.32.80:3128 check port 3128 backup inter 3s
rise 3 fall 3 weight 10 source 0.0.0.0
option redispatch
I have these iptables rules on the HAProxy server
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
This setup is working perfectly from any IP class other than 172.17.232.x.
When I try to access the service from the same IP class with haproxy I see the
packets having incorrect checksum .
tcpdump -i eth0 -n host 172.17.232.229 and host 172.17.232.233 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144
bytes
12:37:21.741935 IP (tos 0x0, ttl 64, id 63601, offset 0, flags [DF], proto TCP
(6), length 60)
172.17.232.233.34012 > 172.17.232.229.3128: Flags [S], cksum 0x2a21
(incorrect -> 0xf5a2), seq 111508051, win 29200, options [mss 1460,sackOK,TS
val 573276706 ecr 0,nop,wscale 7], length 0
12:37:21.743005 IP (tos 0x0, ttl 64, id 53770, offset 0, flags [DF], proto TCP
(6), length 60)
172.17.232.233.34014 > 172.17.232.229.3128: Flags [S], cksum 0x2a21
(incorrect -> 0xdbe0), seq 1250971688, win 29200, options [mss 1460,sackOK,TS
val 573276706 ecr 0,nop,wscale 7], length 0
What am I doing wrong?
Thanks
Marius