Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install Iptables rules to set TCPMSS for 'lo' interface #3452

Merged
merged 6 commits into from
Sep 18, 2019

Conversation

prsunny
Copy link
Contributor

@prsunny prsunny commented Sep 13, 2019

- What I did
ssh to loopback address to use TCPMSS as 1460. By using MSS based on connected front panel interface (MTU = 9100), observed that in some cases ssh session hangs when transit devices are dropping jumbo frames.

- How I did it
Script to install iptables rules during reboot and first boot (updategraph)

- How to verify it
Establish ssh session to lo address and verity the MSS value

- Description for the changelog

Output of "/usr/bin/iptables_install.sh"

Sep 17 19:39:24.232378 str-a7060cx-acs-1 INFO hostcfgd: Running cmd - ip6tables -t mangle --append PREROUTING -p tcp --tcp-flags SYN SYN -d FC00:1::32 -j TCPMSS --set-mss 1440
Sep 17 19:39:24.237774 str-a7060cx-acs-1 INFO hostcfgd: Running cmd - ip6tables -t mangle --append POSTROUTING -p tcp --tcp-flags SYN SYN -s FC00:1::32 -j TCPMSS --set-mss 1440
Sep 17 19:39:24.257214 str-a7060cx-acs-1 INFO hostcfgd: Running cmd - iptables -t mangle --append PREROUTING -p tcp --tcp-flags SYN SYN -d 10.1.0.32 -j TCPMSS --set-mss 1460
Sep 17 19:39:24.262560 str-a7060cx-acs-1 INFO hostcfgd: Running cmd - iptables -t mangle --append POSTROUTING -p tcp --tcp-flags SYN SYN -s 10.1.0.32 -j TCPMSS --set-mss 1460

@lguohan
Copy link
Collaborator

lguohan commented Sep 13, 2019

it is probably easier to integrate this into hostcfgd, i suspect.

@lguohan
Copy link
Collaborator

lguohan commented Sep 13, 2019

@jleveque to comment on the suitability for implementing this in hostcfgd

@prsunny
Copy link
Contributor Author

prsunny commented Sep 13, 2019

@jleveque to comment on the suitability for implementing this in hostcfgd

I agree to have this invoked from hostcfgd. This can also take care of changes to loopback IP instead of handling it in sonic-utilities.

@jleveque
Copy link
Contributor

One thing to keep in mind: Currently caclmgrd is the only service manipulating iptables rules. I wrote it under this assumption. When it receives notification of service ACL changes, it flushes all iptables rules and writes all new. Thus, if rules are written from any other source, they will be lost. This may require logical changes to caclmgrd to play nice with other services.

@prsunny
Copy link
Contributor Author

prsunny commented Sep 13, 2019

One thing to keep in mind: Currently caclmgrd is the only service manipulating iptables rules. I wrote it under this assumption. When it receives notification of service ACL changes, it flushes all iptables rules and writes all new. Thus, if rules are written from any other source, they will be lost. This may require logical changes to caclmgrd to play nice with other services.

Agree, thats the reason, this was not put into iptables filter table. It will have to be seperate from the control plane acl rules.

@prsunny
Copy link
Contributor Author

prsunny commented Sep 13, 2019

retest this please

@prsunny prsunny merged commit 8ca1eb2 into sonic-net:master Sep 18, 2019
@prsunny prsunny deleted the iptables branch September 18, 2019 17:12
yxieca pushed a commit that referenced this pull request Sep 19, 2019
* Install Iptables rules to set TCPMSS for lo interface
* Moved implementation to hostcfgd to maintain at one place
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants