My network setup is kind of exotic but I turned off my openstack setup running with multiple network namespaces, and now I’m down to bridge with a bunch of physical nics, one of which is connected to the internet, and a virtual nic on the bridge that the host uses as the primary interface: ❯ uname -a tcp 6 10 CLOSE src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264 ![]() tcp 6 src=app-host dst=client sport=443 dport=55264 src=client dst=app-host sport=55264 dport=407 tcp 6 300 ESTABLISHED src=app-host dst=client sport=443 dport=55264 src=client dst=app-host sport=55264 dport=407 tcp 6 432000 ESTABLISHED src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264 tcp 6 60 SYN_RECV src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264 tcp 6 120 SYN_SENT src=client dst=app-host sport=55264 dport=443 src=app-proxy dst=client sport=443 dport=55264 tcp 6 120 TIME_WAIT src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 tcp 6 30 LAST_ACK src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 tcp 6 120 FIN_WAIT src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 tcp 6 432000 ESTABLISHED src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 tcp 6 60 SYN_RECV src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 tcp 6 120 SYN_SENT src=client dst=app-host sport=54600 dport=443 src=app-proxy dst=client sport=443 dport=54600 tcp 6 300 ESTABLISHED src=app-host dst=client sport=443 dport=57601 src=client dst=app-host sport=57601 dport=233 tcp 6 432000 ESTABLISHED src=client dst=app-host sport=57601 dport=443 src=app-proxy dst=client sport=443 dport=57601 tcp 6 300 ESTABLISHED src=app-host dst=client sport=443 dport=57600 src=client dst=app-host sport=57600 dport=220 tcp 6 432000 ESTABLISHED src=client dst=app-host sport=57600 dport=443 src=app-proxy dst=client sport=443 dport=57600 tcp 6 60 SYN_RECV src=client dst=app-host sport=57601 dport=443 src=app-proxy dst=client sport=443 dport=57601 tcp 6 120 SYN_SENT src=client dst=app-host sport=57601 dport=443 src=app-proxy dst=client sport=443 dport=57601 ![]() tcp 6 60 SYN_RECV src=client dst=app-host sport=57600 dport=443 src=app-proxy dst=client sport=443 dport=57600 tcp 6 120 SYN_SENT src=client dst=app-host sport=57600 dport=443 src=app-proxy dst=client sport=443 dport=57600 ![]() tcp 6 120 TIME_WAIT src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 tcp 6 30 LAST_ACK src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 tcp 6 120 FIN_WAIT src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 tcp 6 432000 ESTABLISHED src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 tcp 6 60 SYN_RECV src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 tcp 6 120 SYN_SENT src=client dst=app-host sport=54616 dport=443 src=app-proxy dst=client sport=443 dport=54616 Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents) I measured through the bridge described in my config. In the following dumps, app-proxy is its envoy sidecar, and app-host is veth0 as described in my interface config. It is not a sporadic issue, I can reproduce 100% of the time and have a way to test both cases. I’m having an issue where clients fail to connect to a static port from outside my local networks, and it appears when I dig into the problem that conntrack isn’t understanding what is happening in these cases and either dropping or resetting the connection, depending on the topology between the client and host, I guess.
0 Comments
Leave a Reply. |