Giters

google / gvisor

Application Kernel for Containers

Home Page:https://gvisor.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TCP Forwarder.HandlePacket doesn't handle SYNs with ECN/CWR bits set

bradfitz opened this issue · comments

commented

Description

The gVisor netstack TCP forwarder mishandles initial SYN packets with ECN bits set.

gVisor doesn't support ECN (#995) but it should just ignore ECN, not send RSTs as it does today.

Every since the first public gVisor commit on GitHub (I'm not sure about the google tree history), the TCP forwarder code has required that the SYN flags be exactly SYN, without other bits set.

The code is currently:

gvisor/pkg/tcpip/transport/tcp/forwarder.go

Line 72 in 5fb5276

if !s.parse(pkt.RXTransportChecksumValidated) || !s.csumValid || s.flags != header.TCPFlagSyn {

Which means it bails out early, resulting in a RST by the caller:

        // We only care about well-formed SYN packets.                                                                        
        if !s.parse(pkt.RXTransportChecksumValidated) || !s.csumValid || s.flags != header.TCPFlagSyn {
                return false
        }

That s.flags != header.TCPFlagSyn is not right. It should probably be s.flags&0x3F != header.TCPFlagSyn instead. Or something more readable.

(More debugging details in tailscale/tailscale#2642)

Steps to reproduce

  • on machine 1, run a webserver listening on localhost:8080 or other port on the Tailscale box (any language/server). Or just nc -l -p 8080.
  • on machine 1, use Tailscale's tailscaled daemon in --tun=userspace-networking mode (which forces gVisor/netstack)
  • on machine 2, a Linux box with Tailscale, force ECN with sudo sysctl net.ipv4.tcp_ecn=1
  • on machine 2, curl $machine1-tailscale-ip:8080

Observe TCP RSTs arrive.

runsc version

n/a

docker version (if using docker)

n/a

uname

Not OS-specific.

kubectl (if using Kubernetes)

n/a

repo state (if built from source)

Bug exists at HEAD (5fb5276)

runsc debug logs (if available)

n/a
commented

Thanks for the bug report I will take a look.

commented

@bradfitz btw we would be interested in learning more about the issues Tailscale is facing with Netstack. Would you and others from Tailscale be willing to join say a community meeting and go over some of the pain points. We are also open to future collaborations to improve Netstack. In the meeting we can also share our future plans for Netstack.

commented

We would love that. We've been wanting to work on netstack more but didn't know how to collaborate without going in the wrong/unwanted direction.

Feel free to throw something on my calendar (https://calendly.com/bradfitz or bradfitz at tailscale com Google Calendar) or let us know the community meeting time and we'll try to make it.

/cc @crawshaw @danderson @DentonGentry

commented

Let me set something up and I will let you know. We will be happy to accept external contributions.

commented

@bradfitz Could you run your tests w/ the PR linked above and let me know if it works now. I should have the PR submitted later today or early tomorrow.