Aloha kākou, ʻo Sasha koʻu inoa, ke alakaʻi nei au i ka hoʻāʻo ʻana i hope ma FunCorp. ʻO mākou, e like me nā mea ʻē aʻe he nui, ua hoʻokō mākou i kahi hoʻolālā hana lawelawe. Ma kekahi ʻaoʻao, maʻalahi kēia i ka hana, no ka mea ... ʻOi aku ka maʻalahi o ka hoʻāʻo ʻana i kēlā me kēia lawelawe, akā ma ka ʻaoʻao ʻē aʻe, pono e hoʻāʻo i ka launa pū ʻana o nā lawelawe me kekahi, i hana pinepine ʻia ma luna o ka pūnaewele.
Ma kēia ʻatikala, e kamaʻilio wau e pili ana i ʻelua mau pono e hiki ke hoʻohana ʻia e nānā i nā hiʻohiʻona kumu e wehewehe ana i ka hana o kahi noi i mua o nā pilikia pūnaewele.
Hoʻohālikelike i nā pilikia pūnaewele
ʻO ka maʻamau, hoʻāʻo ʻia ka polokalamu ma nā kikowaena hoʻāʻo me kahi pilina pūnaewele maikaʻi. Ma nā wahi hana paʻakikī, ʻaʻole maʻalahi nā mea, no laila i kekahi manawa pono ʻoe e hoʻāʻo i nā papahana i nā kūlana pili maikaʻi ʻole. Ma Linux, e kōkua ka pono me ka hana o ka hoʻohālikelike ʻana i ia mau kūlana tc.
tc(abbr. mai ka Mana Kaapuni) hiki iā ʻoe ke hoʻonohonoho i ka hoʻouna ʻana i nā ʻeke pūnaewele i ka ʻōnaehana. Loaʻa i kēia pono nā mana nui, hiki iā ʻoe ke heluhelu hou aku e pili ana iā lākou . Ma ʻaneʻi e noʻonoʻo wau i kekahi o lākou: makemake mākou i ka hoʻonohonoho ʻana i nā kaʻa, kahi a mākou e hoʻohana ai qdisc, a no ka mea pono mākou e hoʻohālike i kahi pūnaewele paʻa ʻole, e hoʻohana mākou i ka qdisc classless .
E hoʻomaka kākou i kahi kikowaena echo ma ke kikowaena (ua hoʻohana wau ):
ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'
I mea e hōʻike kikoʻī ai i nā manawa āpau i kēlā me kēia pae o ka launa ʻana ma waena o ka mea kūʻai aku a me ke kikowaena, ua kākau wau i kahi palapala Python maʻalahi e hoʻouna i kahi noi. hōʻike i kā mākou kikowaena echo.
Code kumu kūʻai
#!/bin/python
import socket
import time
HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)
print data
E hoʻomaka kākou a e nānā i ke kaʻa ma ka interface lo a me ka awa 12345:
[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test
Kaʻa kaʻa
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0
He kūlana maʻamau nā mea a pau: kahi lima lima alaʻekolu, PSH / ACK a me ACK i ka paneʻelua -ʻo kēia ka hoʻololi o ka noi a me ka pane ma waena o ka mea kūʻai a me ke kikowaena, a me FIN / ACK a me ACK iʻelua manawa - hoʻopau i ka pilina.
Hoʻopaneʻe ʻeke
I kēia manawa e hoʻonoho i ka lohi i 500 milliseconds:
tc qdisc add dev lo root netem delay 500ms
Hoʻomaka mākou i ka mea kūʻai aku a ʻike i ka holo ʻana o ka palapala no 2 kekona:
[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test
He aha ka mea i loko o ke kaʻa? E nānā kākou:
Kaʻa kaʻa
13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0
Hiki iā ʻoe ke ʻike ua ʻike ʻia ka lag i manaʻo ʻia o ka hapalua kekona i ka pilina ma waena o ka mea kūʻai aku a me ke kikowaena. ʻOi aku ka maikaʻi o ka ʻōnaehana inā ʻoi aku ka nui o ka lag: hoʻomaka ka kernel e hoʻouna hou i kekahi mau ʻeke TCP. E hoʻololi i ka lohi i 1 kekona a nānā i ke kaʻa (ʻaʻole au e hōʻike i ka huahana a ka mea kūʻai aku, aia nā 4 kekona i manaʻo ʻia i ka lōʻihi o ka lōʻihi):
tc qdisc change dev lo root netem delay 1s
Kaʻa kaʻa
13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0
Hiki ke ʻike ʻia ua hoʻouna aku ka mea kūʻai aku i kahi ʻeke SYN ʻelua, a ua hoʻouna ke kikowaena i kahi SYN/ACK ʻelua.
Ma waho aʻe o ka waiwai mau, hiki ke hoʻonohonoho ʻia ka lohi i kahi deviation, kahi hana hoʻohele, a me ka hoʻopili ʻana (me ka waiwai no ka ʻeke mua). Hana ʻia kēia penei:
tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal
Maanei ua hoʻonoho mākou i ka lohi ma waena o 100 a me 900 milliseconds, e koho ʻia nā waiwai e like me ka mahele maʻamau a loaʻa kahi 50% correlation me ka waiwai lohi no ka pā mua.
Ua ʻike paha ʻoe i ke kauoha mua aʻu i hoʻohana ai huia laila loli. ʻIke ʻia ke ʻano o kēia mau kauoha, no laila e hoʻohui wau he nui aku del, hiki ke hoʻohana e wehe i ka hoʻonohonoho.
Naho Puke
E ho'āʻo kāua e hana i ka poho packet. E like me ka mea i ʻike ʻia mai ka palapala, hiki ke hana i kēia ma nā ʻano ʻekolu: nalo wale ʻia nā ʻeke me kekahi manawa kūpono, me ka hoʻohana ʻana i kahi kaulahao Markov o 2, 3 a i ʻole 4 mau mokuʻāina no ka helu ʻana i ka poho ʻeke, a i ʻole ka hoʻohana ʻana i ke kumu hoʻohālike Elliott-Gilbert. Ma ka ʻatikala e noʻonoʻo wau i ke ʻano mua (maʻalahi a maopopo loa), a hiki iā ʻoe ke heluhelu e pili ana i nā mea ʻē aʻe .
E hana kākou i ka lilo o 50% o nā ʻeke me ka pilina o 25%:
tc qdisc add dev lo root netem loss 50% 25%
Eia naʻe tcpdump ʻAʻole hiki ke hōʻike maopopo iā mākou i ka nalowale o nā ʻeke, e manaʻo wale mākou he hana maoli ia. A ʻo ka hoʻonui a paʻa ʻole o ka manawa holo o ka palapala e kōkua iā mākou e hōʻoia i kēia. client.py (hiki ke hoʻopau koke ʻia, a i ʻole ma 20 kekona), a me ka hoʻonui ʻia o nā ʻeke hoʻouna hou ʻia:
[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
17147 segments retransmited
17185 segments retransmited
Hoʻohui i ka walaʻau i nā ʻeke
Ma waho aʻe o ka poho packet, hiki iā ʻoe ke hoʻohālikelike i ka pōʻino packet: e ʻike ʻia ka walaʻau ma kahi kūlana packet random. E hana mākou i ka pōʻino o ka ʻeke me ka 50% kūpono a me ka ʻole o ka pilina:
tc qdisc change dev lo root netem corrupt 50%
Holo mākou i ka ʻatikala o ka mea kūʻai aku (ʻaʻohe mea hoihoi ma laila, akā he 2 kekona e hoʻopau ai), e nānā i ke kaʻa:
Kaʻa kaʻa
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
Hiki ke ʻike ʻia ua hoʻouna pinepine ʻia kekahi mau ʻeke a aia hoʻokahi ʻeke me nā metadata haki. nā koho [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>. Akā ʻo ka mea nui i ka hopena ua hana pololei nā mea āpau - ua hoʻokō ʻo TCP i kāna hana.
Hoʻopili kope
He aha hou kāu e hana ai netem? No ka laʻana, e hoʻohālikelike i ke kūlana hoʻohuli o ka poho packet—ka hoʻopāpā packet. Lawe pū kēia kauoha i nā manaʻo 2: probability and correlation.
tc qdisc change dev lo root netem duplicate 50% 25%
Ke hoʻololi nei i ke ʻano o nā pūʻolo
Hiki iā ʻoe ke hoʻohui i nā ʻeke ma nā ʻano ʻelua.
I ka mua, hoʻouna koke ʻia kekahi mau ʻeke, ʻo ke koena me kahi lohi i kuhikuhi ʻia. Laʻana mai ka palapala:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50%
Me ka 25% (a me ka correlation o 50%) e hoʻouna koke ʻia ka ʻeke, e hoʻouna ʻia ke koena me ka lohi o 10 milliseconds.
ʻO ke ala ʻelua ke hoʻouna koke ʻia kēlā me kēia ʻeke Nth me kahi kūpono i hāʻawi ʻia (a me ka correlation), a ʻo ke koena me kahi lohi i hāʻawi ʻia. Laʻana mai ka palapala:
tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5
He 25% ka manawa e hoʻouna ʻia ai i kēlā me kēia pūʻolo ʻelima me ka kali ʻole.
Hoʻololi i ka Bandwidth
ʻO ka mea maʻamau i nā wahi āpau a lākou e kuhikuhi ai , akā me ke kōkua netem Hiki iā ʻoe ke hoʻololi i ka bandwidth interface:
tc qdisc change dev lo root netem rate 56kbit
E hele ana kēia hui a puni localhost ʻehaʻeha e like me ka heʻenalu ʻana i ka Pūnaewele ma o ka modem dial-up. Ma waho aʻe o ka hoʻonohonoho ʻana i ka bitrate, hiki iā ʻoe ke hoʻohālike i ke ʻano hoʻohālike protocol layer: hoʻonoho i ke poʻo no ka ʻeke, ka nui o ka cell, a me ke poʻo no ke kelepona. No ka laʻana, hiki ke hoʻohālikelike ʻia kēia a me ka bitrate 56 kbit/sec:
tc qdisc change dev lo root netem rate 56kbit 0 48 5
Hoʻohālikelike i ka manawa hoʻopili
ʻO kekahi mea koʻikoʻi i ka hoʻolālā hoʻāʻo i ka wā e ʻae ai i ka polokalamu ʻo ia ka manawa. He mea koʻikoʻi kēia no ka mea ma nā ʻōnaehana puʻupuʻu, ke pio kekahi o nā lawelawe, pono e hāʻule nā mea ʻē aʻe i nā mea ʻē aʻe i ka manawa a i ʻole e hoʻihoʻi i kahi hewa i ka mea kūʻai aku, ʻaʻole pono lākou e kau wale, e kali ana i ka pane a i ʻole kahi pilina. e hookumuia.
Nui nā ala e hana ai i kēia: no ka laʻana, e hoʻohana i ka hoʻohenehene ʻaʻole pane, a i ʻole e hoʻopili i ke kaʻina hana me ka hoʻohana ʻana i kahi debugger, e kau i kahi breakpoint ma kahi kūpono a hoʻopau i ke kaʻina hana (ʻo ia paha ke ala ʻoi loa). Akā ʻo kekahi o nā mea maopopo loa i nā awa ahi a i ʻole hosts. E kōkua iā mākou i kēia .
No ka hōʻike ʻana, e hana mākou i ke awa pā ahi 12345 a holo i kā mākou mea kūʻai aku palapala. Hiki iā ʻoe ke pale ahi i nā ʻeke puka i kēia awa ma ka mea hoʻouna a i ʻole nā ʻeke komo ma ka mea hoʻokipa. I kaʻu mau hiʻohiʻona, e hoʻopili ʻia nā ʻeke komo mai (hoʻohana mākou i ke kaulahao INPUT a me ke koho --dport). Hiki ke DROP, REJECT a i ʻole REJECT me ka hae TCP RST, a i ʻole me ka host ICMP hiki ʻole ke loaʻa (ʻoiaʻiʻo, ʻo ka hana paʻamau icmp-port-hiki ʻole, a aia no hoi ka manawa e hoouna aku ai i pane icmp-net-unreachable, icmp-proto-unreachable, icmp-net-papaia и icmp-host-papa ʻia).
MANUAHI
Inā he kānāwai me DROP, e "nalo" wale nā ʻeke.
iptables -A INPUT -p tcp --dport 12345 -j DROP
Hoʻomaka mākou i ka mea kūʻai aku a ʻike ʻo ia e maloʻo i ka pae o ka hoʻopili ʻana i ke kikowaena. E nānā kākou i ke kaʻa:
Kaʻa kaʻa
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0
Hiki ke ʻike ʻia e hoʻouna ana ka mea kūʻai aku i nā ʻeke SYN me kahi manawa hoʻonui nui. No laila ua loaʻa iā mākou kahi pahu liʻiliʻi i ka mea kūʻai aku: pono ʻoe e hoʻohana i ke ʻano hoʻopau manawa()e kaupalena i ka manawa e ho'āʻo ai ka mea kūʻai aku e hoʻopili i ke kikowaena.
Wehe koke mākou i ke kānāwai:
iptables -D INPUT -p tcp --dport 12345 -j DROPHiki iā ʻoe ke holoi i nā lula a pau i ka manawa hoʻokahi:
iptables -F
Inā ʻoe e hoʻohana ana iā Docker a pono ʻoe i ka pā ahi i nā kaʻa a pau e hele ana i ka ipu, a laila hiki iā ʻoe ke hana penei:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP
KA KAKAKA
I kēia manawa e hoʻohui i kahi lula like, akā me REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT
Haʻalele ka mea kūʻai ma hope o kekona me ka hewa [Errno 111] Hōʻole ka pilina. E nānā kākou i ka ICMP traffic:
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
Hiki ke ʻike ʻia ua loaʻa ʻelua i ka mea kūʻai aku awa hiki ole ke kii a laila hoʻopau me ka hewa.
HOOLE me ka tcp-reset
E ho'āʻo kākou e hoʻohui i ke koho --reject-me tcp-reset:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
I kēia hihia, puka koke ka mea kūʻai aku me ka hewa, no ka mea ua loaʻa i ka noi mua kahi ʻeke RST:
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0
HOʻOLE me ka icmp-host-unreachable
E hoʻāʻo kāua i kahi koho ʻē aʻe no ka hoʻohana ʻana iā REJECT:
iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable
Haʻalele ka mea kūʻai ma hope o kekona me ka hewa [Errno 113] ʻAʻohe ala e hoʻokipa ai, ʻike mākou ma ICMP traffic ICMP host 127.0.0.1 hiki ʻole ke loaʻa.
Hiki iā ʻoe ke hoʻāʻo i nā ʻāpana REJECT ʻē aʻe, a e nānā wau i kēia :)
Hoʻopau manawa noi noi
ʻO kekahi kūlana i ka manawa i hiki ai i ka mea kūʻai ke hoʻopili i ke kikowaena, akā ʻaʻole hiki ke hoʻouna i kahi noi iā ia. Pehea e kānana ai i nā ʻeke i ʻole e hoʻomaka koke ke kānana? Inā ʻoe e nānā i ke kaʻa o kekahi kamaʻilio ma waena o ka mea kūʻai aku a me ke kikowaena, e ʻike ʻoe i ka wā e hoʻokumu ai i kahi pilina, hoʻohana wale ʻia nā hae SYN a me ACK, akā i ka wā e hoʻololi ai i ka ʻikepili, e loaʻa i ka ʻeke noi hope ka hae PSH. Hoʻokomo ʻokoʻa ia e pale i ka buffering. Hiki iā ʻoe ke hoʻohana i kēia ʻike no ka hana ʻana i kānana: e ʻae ia i nā ʻeke a pau koe nā mea i loaʻa ka hae PSH. No laila, e hoʻokumu ʻia ka pilina, akā ʻaʻole hiki i ka mea kūʻai ke hoʻouna i ka ʻikepili i ke kikowaena.
MANUAHI
No DROP ke ʻano o ke kauoha penei:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP
E hoʻolele i ka mea kūʻai aku a nānā i ke kaʻa:
Kaʻa kaʻa
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5
ʻIke mākou ua hoʻokumu ʻia ka pilina a ʻaʻole hiki i ka mea kūʻai ke hoʻouna i ka ʻikepili i ke kikowaena.
KA KAKAKA
I kēia hihia, e like ka hana: ʻaʻole hiki i ka mea kūʻai ke hoʻouna i ka noi, akā e loaʻa ICMP 127.0.0.1 tcp awa 12345 hiki ole ke kii a hoʻonui i ka manawa ma waena o ke noi hoʻouna hou ʻana me ka nui. Penei ke ano o ke kauoha:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT
HOOLE me ka tcp-reset
Penei ke ano o ke kauoha:
iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset
Ua ʻike mua mākou i ka wā e hoʻohana ai --reject-me tcp-reset e loaʻa i ka mea kūʻai i kahi ʻeke RST ma ka pane ʻana, no laila hiki ke wānana ʻia ke ʻano: ka loaʻa ʻana o kahi pā RST i ka wā e hoʻokumu ʻia ai ka pilina, ʻo ia hoʻi, ua pani ʻole ʻia ke kumu ma kēlā ʻaoʻao, ʻo ia ka mea e loaʻa i ka mea kūʻai. Hoʻopaʻa hou ʻia ka pilina e nā hoa. E holo kāua i kā mākou palapala a hōʻoia i kēia. A penei ke ano o ka hele ana.
Kaʻa kaʻa
[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0
HOʻOLE me ka icmp-host-unreachable
Manaʻo wau ua maopopo i nā mea a pau ke ʻano o ke kauoha :) E ʻokoʻa iki ka ʻano o ka mea kūʻai ma kēia hihia me kahi REJECT maʻalahi: ʻaʻole e hoʻonui ka mea kūʻai aku i ka manawa ma waena o nā hoʻāʻo e hoʻouna hou i ka ʻeke.
[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
hopena
ʻAʻole pono e kākau i kahi hoʻohenehene e hoʻāʻo ai i ka pilina o kahi lawelawe me kahi mea kūʻai aku a i ʻole server; i kekahi manawa ua lawa ka hoʻohana ʻana i nā pono hana maʻamau i loaʻa ma Linux.
ʻO nā mea pono i kūkākūkā ʻia ma ka ʻatikala he ʻoi aku ka nui o nā mana ma mua o ka mea i wehewehe ʻia, no laila hiki iā ʻoe ke hana i kekahi o kāu mau koho ponoʻī no ka hoʻohana ʻana iā lākou. ʻO wau iho, ua lawa au i nā mea aʻu i kākau ai (ʻoiaʻiʻo, ʻoi aku ka liʻiliʻi). Inā hoʻohana ʻoe i kēia a i ʻole nā mea pono like i ka hoʻāʻo ʻana i kāu hui, e ʻoluʻolu e kākau pehea. Inā ʻaʻole, a laila manaʻolana wau e ʻoi aku ka maikaʻi o kāu polokalamu inā hoʻoholo ʻoe e hoʻāʻo iā ia i nā kūlana o nā pilikia pūnaewele me ka hoʻohana ʻana i nā ala i manaʻo ʻia.
Source: www.habr.com