ProHoster > Blog > Utongi > Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Mhoroi mose! Zita rangu ndiDmitry Samsonov, ndinoshanda semutungamiri wehurongwa hweOdnoklassniki. Tine anopfuura zviuru zvinomwe zvemasevha emuviri, zviuru gumi nezviuru zvemidziyo mugore redu uye mazana maviri ekushandisa, ayo mukumisikidzwa kwakasiyana anoumba 7 masumbu akasiyana. Iwo akawanda maseva anomhanya CentOS 11.
Musi waNyamavhuvhu 14, 2018, ruzivo rwekusagadzikana kweFragmentSmack rwakaburitswa.
(CVE-2018-5391) uye SegmentSmack (CVE-2018-5390) Uku kusasimba netiweki kurwisa vector uye yakaringana yakakwira zvibodzwa (7.5), izvo zvinotyisidzira kurambwa kwesevhisi (DoS) nekuda kwekuneta kwezviwanikwa (CPU). Kugadziriswa kernel yeFragmentSmack haina kutaurwa panguva iyoyo; uyezve, yakabuda gare gare kupfuura kuburitswa kweruzivo nezve kusagadzikana. Kubvisa SegmentSmack, zvakakurudzirwa kugadzirisa kernel. Iyo yekuvandudza package pachayo yakaburitswa pazuva rimwe chete, chakasara kwaive kuiisa.
Kwete, isu hatisi kupokana nekuvandudza kernel zvachose! Nekudaro, pane nuances ...

Isu tinovandudza sei kernel pakugadzira

Kazhinji, hapana chakaoma:

  1. Dhaunirodha mapakeji;
  2. Iise pane akati wandei maseva (kusanganisira maseva anotambira gore redu);
  3. Iva nechokwadi chokuti hapana chakaputsika;
  4. Ita shuwa kuti ese akajairwa kernel marongero anoshandiswa pasina zvikanganiso;
  5. Mirira mazuva mashoma;
  6. Tarisa server performance;
  7. Chinja kutumirwa kwemaseva matsva kune kernel nyowani;
  8. Gadziridza maseva ese nedhata data (imwe data data panguva yekudzikisa mhedzisiro kune vashandisi kana paine matambudziko);
  9. Reboot ese maseva.

Dzokorora kune ese matavi embeu atinawo. Panguva ino:

  • Stock CentOS 7 3.10 - kune akawanda akajairika maseva;
  • Vanilla 4.19 - yedu makore-gore rimwe, nekuti tinoda BFQ, BBR, nezvimwewo;
  • Elrepo kernel-ml 5.2 - ye vaparidzi vakatakura zvakanyanya, nekuti 4.19 yaimboita isina kugadzikana, asi maficha akafanana anodiwa.

Sezvaungave wakafungidzira, kutangazve zviuru zvemaseva kunotora nguva yakareba kwazvo. Sezvo kusiri kusadzivirirwa kwese kwakakosha kune ese maseva, isu tinongotangazve ayo anowanikwa zvakananga kubva kuInternet. Mugore, kuti tirege kudzikamisa kuchinjika, isu hatisungiri midziyo inowanikwa kunze kune yega maseva ine kernel nyowani, asi tangazve ese anotambira pasina kusarudzika. Neraki, maitiro aripo ari nyore kupfuura nemaseva enguva dzose. Semuenzaniso, midziyo isina muganhu inogona kungoenda kune imwe sevha panguva yekutangisa.

Zvisinei, kuchine basa rakawanda, uye zvinogona kutora mavhiki akati wandei, uye kana paine matambudziko neshanduro itsva, kusvika kumwedzi yakati wandei. Vanorwisa vanonzwisisa izvi zvakanyanya, saka vanoda chirongwa B.

FragmentSmack/SegmentSmack. Workaround

Neraki, kune kumwe kusagadzikana kwakadai chirongwa B chiripo, uye chinodaidzwa kuti Workaround. Kazhinji, uku ndiko kushanduka kwe kernel/application marongero ayo anogona kudzikisa zvingaitika kana kubvisa zvachose kushandiswa kwekusagadzikana.

Panyaya yeFragmentSmack/SegmentSmack yakarongwa Iyi Workaround:

Β«Unogona kushandura zvakagara zviripo zve 4MB uye 3MB mu net.ipv4.ipfrag_high_thresh uye net.ipv4.ipfrag_low_thresh (nevamwe vavo ve ipv6 net.ipv6.ipfrag_high_thresh net.ipv6.ipv256.ipfrag_low_thresh 192 kana 262144kBlow64) pasi. Miedzo inoratidza madiki kusvika akakosha madonhwe mukushandiswa kweCPU panguva yekurwiswa zvichienderana nehardware, marongero, uye mamiriro. Nekudaro, panogona kuve nekumwe kuita kwekuita nekuda kwe ipfrag_high_thresh=XNUMX bytes, sezvo maviri chete zvidimbu zveXNUMXK zvinogona kukwana mumutsara wekuunganidza panguva. Semuenzaniso, pane njodzi yekuti maapplication anoshanda nemahombe UDP mapaketi achatyoka".

Iyo parameter pachayo mune zvinyorwa zve kernel zvinorondedzerwa sezvinotevera:

ipfrag_high_thresh - LONG INTEGER
    Maximum memory used to reassemble IP fragments.

ipfrag_low_thresh - LONG INTEGER
    Maximum memory used to reassemble IP fragments before the kernel
    begins to remove incomplete fragment queues to free up resources.
    The kernel still accepts new fragments for defragmentation.

Isu hatina maUDP akakura pamasevhisi ekugadzira. Iko hakuna kupatsanurwa traffic paLAN; kune yakakamukana traffic paWAN, asi haina kukosha. Iko hakuna zviratidzo - unogona kuburitsa Workaround!

FragmentSmack/SegmentSmack. Ropa rekutanga

Dambudziko rekutanga ratakasangana naro nderekuti midziyo yemakore dzimwe nguva yaiisa zvigadziriso zvitsva zvishoma (chete ipfrag_low_thresh), uye dzimwe nguva hazvina kuishandisa zvachose - zvakangopunzika pakutanga. Zvakanga zvisingaite kuburitsa dambudziko zvakatsiga (ese magadzirirwo akaiswa pamaoko pasina matambudziko). Kunzwisisa kuti sei mudziyo uchiputsika pakutanga zvakare hazvisi nyore: hapana zvikanganiso zvakawanikwa. Chinhu chimwe chaive chechokwadi: kudzosera kumashure zvigadziriso kunogadzirisa dambudziko nekuparara kwemidziyo.

Sei zvisina kukwana kuisa Sysctl pamugamuchiri? Iyo mudziyo inogara mune yayo yakatsaurwa network Namespace, saka zvirinani chikamu chetiweki Sysctl paramita mumudziyo unogona kusiyana kubva kune muenzi.

Sei chaizvo zvigadziriso zveSystll zvinoiswa mumudziyo? Sezvo midziyo yedu isina rombo, haugone kushandura chero Sysctl kuseta nekupinda mugaba pachayo - iwe hauna kodzero dzakakwana. Kumhanyisa midziyo, gore redu panguva iyoyo raishandisa Docker (ikozvino podman) Iwo maparamita emudziyo mutsva akapfuudzwa kuDocker kuburikidza neAPI, kusanganisira inodiwa Sysctl marongero.
Ndichiri kutsvaga mushanduro, zvakazoitika kuti Docker API haina kudzosa zvikanganiso zvese (zvirinani mushanduro 1.10). Patakaedza kutanga mudziyo kuburikidza ne "docker run", takazoona chimwe chinhu:

write /proc/sys/net/ipv4/ipfrag_high_thresh: invalid argument docker: Error response from daemon: Cannot start container <...>: [9] System error: could not synchronise with container process.

Ukoshi hweparameter hausi kushanda. Asi nei? Uye nei isingashande dzimwe nguva chete? Zvakazoitika kuti Docker haivimbisi kurongeka kweiyo Sysctl paramita inoshandiswa (yazvino yakaedzwa vhezheni ndeye 1.13.1), saka dzimwe nguva ipfrag_high_thresh yakaedza kusetwa ku256K apo ipfrag_low_thresh yakanga ichiri 3M, kureva kuti, muganho wepamusoro wakanga wakaderera. kupfuura muganhu wakaderera, izvo zvakatungamirira kukukanganisa.

Panguva iyoyo, isu takatoshandisa yedu nzira yekugadzirisa zvakare mudziyo mushure mekutanga (kuomesa mudziyo mushure group freezer uye kuita mirairo munzvimbo yezita remudziyo kuburikidza ip netns), uye isu takawedzera kunyora Sysctl paramita kune ichi chikamu. Dambudziko rakagadziriswa.

FragmentSmack/SegmentSmack. Ropa Rokutanga 2

Tisati tave nenguva yekunzwisisa kushandiswa kweWorkaround mugore, zvichemo zvekutanga zvisingawanzo kubva kuvashandisi zvakatanga kusvika. Panguva iyoyo, mavhiki akati wandei akange apfuura kubva pakatanga kushandisa Workaround pamaseva ekutanga. Ongororo yekutanga yakaratidza kuti zvichemo zvakagamuchirwa pamusoro pesevhisi yega yega, uye kwete ese maseva emasevhisi aya. Dambudziko racho rave risinganyatsozivikanwi zvakare.

Chekutanga pane zvese, isu, hongu, takaedza kudzosera kumashure masisitimu eSystl, asi izvi hazvina kuita. Akasiyana-siyana manipulations nesevha uye zvigadziriso zvekushandisa hazvina kubatsira. Reboot yakabatsira. Rebooting Linux haina kusikwa sezvazvaive zvakajairika kuWindows mumazuva ekare. Nekudaro, zvakabatsira, uye isu takaichovha kusvika kune "kernel glitch" pakushandisa marongero matsva muSysctl. Kwaive kupusa sei...

Kwapera mavhiki matatu dambudziko racho rakatangazve. Kugadziriswa kwemaseva aya kwaive nyore: Nginx mune proxy / balancer mode. Hapana traffic yakawanda. Nyowani yekutanga chinyorwa: nhamba ye504 zvikanganiso pane vatengi iri kuwedzera zuva rega rega (Gateway Timeout) Girafu inoratidza huwandu hwe504 zvikanganiso pazuva zvesevhisi iyi:

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Mhosho dzese dzinenge dzakafanana backend - nezve iyo iri mugore. Iyo ndangariro yekushandisa girafu yezvimedu zvepakeji pane ino yekumashure yaitaridzika seizvi:

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Ichi ndicho chimwe chezviratidziro zviri pachena zvedambudziko mukushanda system magirafu. Mugore, panguva imwe chete, imwe dambudziko retiweki neQoS (Traffic Control) marongero akagadziriswa. Pane girafu yekushandiswa kwendangariro yezvimedu zvepaketi, yaitaridzika zvakafanana:

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Kufungidzira kwaive nyore: kana vakatarisa zvakafanana pamagirafu, saka vane chikonzero chimwe chete. Uyezve, chero matambudziko nerudzi urwu rwendangariro haawanzoitiki.

Chinokosha chedambudziko rakagadziriswa ndechekuti isu takashandisa iyo fq packet scheduler ine default marongero muQoS. Nekumisikidza, kune imwe yekubatanidza, inokutendera iwe kuti uwedzere zana emapaketi kumutsara, uye zvimwe zvinongedzo, mumamiriro ekushomeka kwechiteshi, zvakatanga kuvhara mutsara kusvika pakusimba. Muchiitiko ichi, mapaketi anodonhedzwa. Mune tc nhamba (tc -s qdisc) inogona kuonekwa seizvi:

qdisc fq 2c6c: parent 1:2c6c limit 10000p flow_limit 100p buckets 1024 orphan_mask 1023 quantum 3028 initial_quantum 15140 refill_delay 40.0ms
 Sent 454701676345 bytes 491683359 pkt (dropped 464545, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  1024 flows (1021 inactive, 0 throttled)
  0 gc, 0 highprio, 0 throttled, 464545 flows_plimit

"464545 flows_plimit" ndiwo mapaketi akadonhedzwa nekuda kwekudarika muganho wemutsetse wekubatana kumwe, uye "akadonhedza 464545" ihuwandu hwemapaketi ese akadonhedzwa emugadziri uyu. Mushure mekuwedzera mutsara kureba kusvika 1 zviuru uye kutangazve midziyo, dambudziko rakamira kuitika. Iwe unogona kugara uye kunwa smoothie.

FragmentSmack/SegmentSmack. Ropa Rokupedzisira

Chekutanga, mwedzi yakati wandei mushure mekuziviswa kwekusagadzikana mu kernel, gadziriso yeFragmentSmack yakazoonekwa (rega ndikuyeuchidze kuti pamwe nechiziviso muna Nyamavhuvhu, gadziriso chete yeSegmentSmack yakaburitswa), iyo yakatipa mukana wekusiya Workaround, izvo zvakatiunzira dambudziko guru. Munguva iyi, takanga tatokwanisa kuendesa mamwe maseva kune kernel itsva, uye zvino taifanira kutanga kubva pakutanga. Nei takagadziridza kernel tisina kumirira iyo FragmentSmack gadziriso? Icho chokwadi ndechekuti maitiro ekudzivirira kubva panjodzi idzi akapindirana (uye akasanganiswa) nemaitiro ekugadzirisa CentOS pachayo (izvo zvinotora nguva yakawanda kupfuura kugadzirisa chete kernel). Uye zvakare, SegmentSmack ndeyekusagadzikana kune njodzi, uye kugadzirisa kwayo kwakaonekwa nekukasira, saka zvine musoro zvakadaro. Nekudaro, isu hatina kukwanisa kungogadziridza kernel paCentOS nekuti iyo FragmentSmack vulnerability, iyo yakaonekwa panguva yeCentOS 7.5, yakangogadziriswa muvhezheni 7.6, saka taifanira kumisa kugadziridza ku7.5 uye kutanga patsva nekuvandudza ku7.6. Uye izvi zvinoitika zvakare.

Chechipiri, zvichemo zvisingawanzo mushandisi nezve matambudziko zvadzokera kwatiri. Ikozvino isu tatoziva zvechokwadi kuti ese ane hukama nekurodha mafaera kubva kune vatengi kune mamwe maseva edu. Uyezve, nhamba shoma shoma yekurodha kubva kuhuwandu hwehuwandu hwakapfuura nemasevha aya.

Sezvatinorangarira kubva munyaya iri pamusoro, kutenderedza Sysctl hakuna kubatsira. Reboot yakabatsira, asi kwenguva pfupi.
Kufungira Sysctl hakuna kubviswa, asi panguva ino zvaive zvakafanira kuunganidza ruzivo rwakawanda sezvinobvira. Paive zvakare nekushaikwa kukuru kwekugona kuburitsa dambudziko rekurodha pamutengi kuitira kuti adzidze chaizvo izvo zvaiitika.

Ongororo yenhamba dzese dziripo uye matanda hazvina kutiswededza pedyo nekunzwisisa zvaiitika. Paive nekushaikwa kwakanyanya kwekugona kuburitsa dambudziko kuitira kuti "unzwe" imwe yekubatanidza. Chekupedzisira, vanogadzira, vachishandisa yakasarudzika vhezheni yechishandiso, vakakwanisa kuwana yakagadzikana kuberekana kwezvinetso pane bvunzo mudziyo kana yakabatana kuburikidza neWi-Fi. Uku kwaive budiriro mukuferefeta. Mutengi akabatana neNginx, iyo yakamiririra kune backend, yaive yedu Java application.

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Nhaurirano yezvinetso yaive yakadai (yakagadziriswa padivi reNginx proxy):

  1. Mutengi: kumbira kugamuchira ruzivo nezve kurodha faira.
  2. Java server: mhinduro.
  3. Mutengi: POST nefaira.
  4. Java server: kukanganisa.

Panguva imwecheteyo, sevha yeJava inonyorera kurogi kuti 0 bytes yedata yakagamuchirwa kubva kumutengi, uye Nginx proxy inonyora kuti chikumbiro chakatora anopfuura masekondi makumi matatu (30 masekondi ndiyo nguva yekubuda kwemutengi application). Nei nguva yapera uye nei 30 mabhayiti? Kubva pakuona kweHTTP, zvese zvinoshanda sezvazvinofanirwa, asi iyo POST ine faira inoita seichanyangarika kubva kunetiweki. Uyezve, inonyangarika pakati pemutengi neNginx. Yave nguva yekuzvishongedza neTcpdump! Asi chekutanga iwe unofanirwa kunzwisisa iyo network kumisikidza. Nginx proxy iri kuseri kweL0 balancer NFware. Tunneling inoshandiswa kuendesa mapaketi kubva kuL3 balancer kune server, iyo inowedzera misoro yayo kumapaketi:

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Muchiitiko ichi, network inouya kune iyi sevha nenzira yeVlan-tagged traffic, iyo inowedzerawo minda yayo kumapakiti:

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Uye iyi traffic inogona zvakare kupatsanurwa (iyo imwecheteyo diki muzana yeinouya yakapatsanuka traffic yatakataura nezvayo tichiongorora njodzi kubva kuWorkaround), iyo zvakare inoshandura zviri mukati memisoro:

Chenjerera kusagona kunounza matambudziko ebasa. Chikamu 1: FragmentSmack/SegmentSmack

Kamwe zvakare: mapaketi akavharidzirwa neVlan tag, yakavharwa netunnel, yakakamurwa. Kuti tinzwisise zviri nani kuti izvi zvinoitika sei, ngatitarisei nzira yepakiti kubva kumutengi kuenda kune Nginx proxy.

  1. Iyo pakiti inosvika paL3 balancer. Nekurongeka kwakaringana mukati me data data, iyo pakiti yakavharirwa mugero uye inotumirwa kunetiweki kadhi.
  2. Sezvo packet + tunnel misoro isingakwane muMTU, iyo packet inotemwa kuita zvidimbu uye inotumirwa kune network.
  3. Shanduko mushure meiyo L3 balancer, kana yakagamuchira pakiti, inowedzera Vlan tag kwairi uye inoitumira.
  4. Shanduko iri pamberi peiyo Nginx proxy inoona (zvichienderana nemaseti echiteshi) kuti sevha iri kutarisira Vlan-yakavharirwa pakiti, saka inoitumira sezvairi, isina kubvisa Vlan tag.
  5. Linux inotora zvidimbu zvepakeji yega yega uye inoabatanidza mupakeji hombe.
  6. Tevere, iyo packet inosvika kuVlan interface, uko yekutanga dhizaini inobviswa kubva mairi - Vlan encapsulation.
  7. Linux inobva yaitumira kuTunnel interface, uko imwe nhanho inobviswa pairi - Tunnel encapsulation.

Chinonetsa kupfuudza zvese izvi sema paramita kune tcpdump.
Ngatitange kubva kumagumo: pane akachena (pasina zvisingakoshi misoro) IP mapaketi kubva kune vatengi, ine vlan uye tunnel encapsulation yakabviswa?

tcpdump host <ip ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°>

Kwete, pakanga pasina mapakeji akadaro paseva. Saka dambudziko rinofanira kunge riripo kare. Pane here mapaketi ane Vlan encapsulation chete akabviswa?

tcpdump ip[32:4]=0xx390x2xx

0xx390x2xx ndiyo mutengi IP kero mune hex fomati.
32:4 - kero uye kureba kwemunda umo SCR IP yakanyorwa muTunnel packet.

Kero yemunda yaifanira kusarudzwa nechisimba, sezvo paInternet vanonyora nezve 40, 44, 50, 54, asi pakanga pasina kero ye IP ipapo. Iwe unogona zvakare kutarisa imwe yemapaketi muhex (iyo -xx kana -XX parameter mu tcpdump) uye kuverenga iyo IP kero yaunoziva.

Pane zvimedu zvepaketi pasina Vlan uye Tunnel encapsulation yakabviswa?

tcpdump ((ip[6:2] > 0) and (not ip[6] = 64))

Mashiripiti aya achatiratidza zvidimbu zvese, kusanganisira yekupedzisira. Zvichida, chinhu chimwe chete chinogona kusefa ne IP, asi handina kuedza, nokuti hapana akawanda akawanda emapakiti akadaro, uye izvo zvandaida zvakawanikwa nyore nyore mukuyerera kwakawanda. Hezvino vari:

14:02:58.471063 In 00:de:ff:1a:94:11 ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 63, id 53652, offset 0, flags [+], proto IPIP (4), length 1500)
    11.11.11.11 > 22.22.22.22: truncated-ip - 20 bytes missing! (tos 0x0, ttl 50, id 57750, offset 0, flags [DF], proto TCP (6), length 1500)
    33.33.33.33.33333 > 44.44.44.44.80: Flags [.], seq 0:1448, ack 1, win 343, options [nop,nop,TS val 11660691 ecr 2998165860], length 1448
        0x0000: 0000 0001 0006 00de fb1a 9441 0000 0800 ...........A....
        0x0010: 4500 05dc d194 2000 3f09 d5fb 0a66 387d E.......?....f8}
        0x0020: 1x67 7899 4500 06xx e198 4000 3206 6xx4 [email protected].
        0x0030: b291 x9xx x345 2541 83b9 0050 9740 0x04 .......A...P.@..
        0x0040: 6444 4939 8010 0257 8c3c 0000 0101 080x dDI9...W.......
        0x0050: 00b1 ed93 b2b4 6964 xxd8 ffe1 006a 4578 ......ad.....jEx
        0x0060: 6966 0000 4x4d 002a 0500 0008 0004 0100 if..MM.*........

14:02:58.471103 In 00:de:ff:1a:94:11 ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 63, id 53652, offset 1480, flags [none], proto IPIP (4), length 40)
    11.11.11.11 > 22.22.22.22: ip-proto-4
        0x0000: 0000 0001 0006 00de fb1a 9441 0000 0800 ...........A....
        0x0010: 4500 0028 d194 00b9 3f04 faf6 2x76 385x E..(....?....f8}
        0x0020: 1x76 6545 xxxx 1x11 2d2c 0c21 8016 8e43 .faE...D-,.!...C
        0x0030: x978 e91d x9b0 d608 0000 0000 0000 7c31 .x............|Q
        0x0040: 881d c4b6 0000 0000 0000 0000 0000 ..............

Izvi zvimedu zviviri zvepasuru imwe (iyo yakafanana ID 53652) ine mufananidzo (izwi Exif rinoonekwa mupakeji yekutanga). Nekuda kwekuti pane mapakeji padanho iri, asi kwete mufomu yakabatanidzwa mumarara, dambudziko riri pachena negungano. Pakupedzisira pane humbowo hunoratidza izvi!

Iyo packet decoder haina kuratidza chero matambudziko aizodzivirira kuvaka. Kwaedza apa: hpd.gasmi.net. Pakutanga, paunoyedza kuisa chimwe chinhu ipapo, iyo decoder haifarire iyo packet fomati. Zvakazoitika kuti pakanga paine mamwe maoctet maviri ekuwedzera pakati peSrcmac neEthertype (isina hukama neruzivo rwechidimbu). Mushure mekuabvisa, decoder yakatanga kushanda. Zvisinei, hazvina kuratidza matambudziko.
Chero zvingataurwa nemunhu, hapana chimwe chakawanikwa kunze kweiyo Sysctl. Zvose zvakasara kwaiva kutsvaga nzira yekuziva matambudziko maseva kuitira kuti unzwisise chiyero uye usarudze pane zvimwe zviito. Kaunda inodiwa yakawanikwa nekukurumidza zvakakwana:

netstat -s | grep "packet reassembles failed”

Iriwo mu snmpd pasi peOID=1.3.6.1.2.1.4.31.1.1.16.1 (ipSystemStatsReasmFails).

"Huwandu hwekutadza hwakaonekwa neIP re-assembly algorithm (nekuda kwechikonzero chipi: nguva yapera, zvikanganiso, nezvimwewo)."

Pakati peboka remaseva iro dambudziko rakadzidzwa, paviri iyi counter yakawedzera nekukurumidza, pane maviri zvishoma nezvishoma, uye pane maviri mamwe haina kuwedzera zvachose. Kuenzanisa kusimba kwekaunda iyi nemasimba eHTTP kukanganisa paJava server kwakaratidza kuwirirana. Kureva kuti mita yaigona kutariswa.

Kuve nechiratidzo chakavimbika chematambudziko kwakakosha kwazvo kuti iwe ugone kuona kuti kudzoreredza Sysctl kunobatsira here, sezvo kubva munhau yapfuura tinoziva kuti izvi hazvigone kunzwisiswa nekukurumidza kubva mukushandisa. Ichi chiratidzo chaizotibvumira kuona ese ane dambudziko munzvimbo dzekugadzira vashandisi vasati vazviwana.
Mushure mokudzosera shure Sysctl, zvikanganiso zvekutarisa zvakamira, saka chikonzero chezvinetso zvakaratidzwa, pamwe chete nechokwadi chokuti rollback inobatsira.

Isu takatenderedza marongero ezvimedu pane mamwe maseva, kwakatanga kutariswa kutsva, uye kumwe kumwe takagovera ndangariro yakawandisa yezvimedu pane yaimbove yekusarudzika (iyi yaive nhamba yeUDP, kurasikirwa kwechikamu kwaisaonekwa kunopesana neyakajairwa kumashure) .

Mibvunzo inonyanya kukosha

Nei mapaketi akakamurwa pane yedu L3 balancer? Mazhinji emapaketi anosvika kubva kuvashandisi kuenda kune mabharari ndeye SYN uye ACK. Saizi yemapakeji aya madiki. Asi sezvo chikamu chemapakiti akadaro chakakura kwazvo, pakatarisana nemamiriro avo ezvinhu isu hatina kuona kuvapo kwemapakiti makuru akatanga kuputika.

Chikonzero chaive chakatyoka chekugadzirisa script advmss pamaseva ane Vlan interfaces (paive nemasevha mashoma ane tagged traffic mukugadzirwa panguva iyoyo). Advmss inotitendera kuendesa kune mutengi ruzivo rwekuti mapaketi munzira yedu anofanirwa kunge ari madiki muhukuru kuitira kuti mushure mekuisa tunnel misoro kwavari haifanirwe kupatsanurwa.

Nei Sysctl rollback isina kubatsira, asi reboot yakaita? Rolling back Sysctl yakashandura huwandu hwendangariro huripo hwekubatanidza mapakeji. Panguva imwecheteyo, sezviri pachena chokwadi chendangariro kufashukira kune zvimedu zvakakonzera kudzikira kwekubatanidza, izvo zvakaita kuti zvidimbu zvinonotswe kwenguva yakareba mumutsetse. Kureva kuti, hurongwa hwakafamba muzvikamu.
Iyo reboot yakadzima ndangariro uye zvese zvakadzokera kuhurongwa.

Zvaikwanisika here kuita pasina Workaround? Hongu, asi kune njodzi yakakura yekusiya vashandisi vasina basa kana paine kurwiswa. Zvechokwadi, kushandiswa kweWorkaround kwakaguma nezvinetso zvakasiyana-siyana, kusanganisira kuderera kweimwe yebasa revashandisi, asi zvisinei tinotenda kuti zviito zvacho zvakanga zvakakodzera.

Kutenda kukuru kuna Andrey Timofeev (atimofeyev) kuti vabatsirwe mukuita tsvakurudzo, pamwe chete naAlexey Krenev (devicex) - yebasa retitanic rekuvandudza maCentos uye kernels pamaseva. Nzira iyo munyaya iyi yaifanira kutangwa kubva pakutanga kakawanda, ndicho chikonzero yakakwevera mberi kwemwedzi yakawanda.

Source: www.habr.com

Voeg