From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2532B40B38C for ; Mon, 29 Jun 2026 13:09:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782738595; cv=none; b=sE6YeaXHJSmGvdSJ+S63WOdZs3bjsKXz6Ug/EyA4kZ0yyzcDLRc4kW4Glk2BKxkTp750G9LEs0VCuo+HhRqKNxp8ofwd6KvE9yvlsArhoGKRUMj9vejlYiY76Y0GZAlj597/USVChjy+cFv1gLP0DBjtl8M7h/rygFM8qXaP7og= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782738595; c=relaxed/simple; bh=MRnm09PMVz3zZlTQCCbSkxqgokpKHu3OelLb7bM8jtQ=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=MK/XsyOV9Vq5RqNtH5XRBZqDUKTetlS4K5k3xYdNs3lGQAdFEWr3ZZ3VFH7fwPiE9xGZeOkQ54x6oulttO1ebm1W7rIiJsd4HJL5hAer+WqxA9lpXySCcthiIzFZHNWVStZwQi16jcMRSdo9BUsDAC5Zcv2bUIWrEEOR3EUdDNk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com; spf=none smtp.mailfrom=mojatatu.com; dkim=pass (1024-bit key) header.d=mojatatu.com header.i=@mojatatu.com header.b=gMJDg1NA; arc=none smtp.client-ip=209.85.210.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mojatatu.com header.i=@mojatatu.com header.b="gMJDg1NA" Received: by mail-ot1-f51.google.com with SMTP id 46e09a7af769-7e93cd4e64bso2579974a34.2 for ; Mon, 29 Jun 2026 06:09:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu.com; s=google; t=1782738592; x=1783343392; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=C857Q2VDyItus3syZ+DUaEL05/aUtCKQC2sIRlYJkic=; b=gMJDg1NAajeSLhbu0RTZcMA51c0+/uo33amb51UJLNd1o2YVOaFkRWKjg/iPIKLDSw 46XUc8VZocCD5dV08LbuyFxuwpGOeMsJSbSNr+1ITT4Dw+HINjDwWkW8wPm6BZSuY7IM CSQqPeDgY0QntvYjabDVFqnOPb21tnh3onwIo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782738592; x=1783343392; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=C857Q2VDyItus3syZ+DUaEL05/aUtCKQC2sIRlYJkic=; b=hCv5j8I58aTh8lmjDGxe5sOLZch89Vvc4eXhpBV7TISy08o70PDm5OsHPGy4FBHZzw BD96d89QqXIyApY8Vbi4oI7ncToc9E+qtlDOg/0FlRON4eQSzUKN4INrjl9GgCej04I4 CHkco6pKuDpDYjtpswp87aRBCt+T2XIrwejVk+xVqc/2khV5fCv6VqE6kpa/pTQBIx/b I8AZ7pej98nr63rMk2tL1Levwf/0PhRXqw1NSK1CH8G1gbzkQ8fi8oDFiQsV29t20M1E fTIj++cwLGDGic4onvXAeQcQxz2o/QxHZuM/sAHcOottsrVaFg60KYLzb2Ton/qVaEv9 35Hg== X-Forwarded-Encrypted: i=1; AFNElJ8cLYOK/JYxBKRt0ziJUHJxJCRwvOuPmhsB3p7X7IvgEMdYp7mk25olnclVodlhAUbqAxenTys=@vger.kernel.org X-Gm-Message-State: AOJu0Yy4fliViD0lmZITWThsYdth3H7dgpfHq6Gofxb7kCrjorAfWzw4 GW+QbeMTtguIoMsXPY2jKjlfDZUsCe37BmB70nMJGL+auN8iSR1keRIROwATQLrhng== X-Gm-Gg: AfdE7cnlTG/iRuiLIY2AP2gkVhPiN9qPDx0KuLwrXwsTgjz1cjfOWj4JEN6AX3qBFhi ycG+Ya7RP/66na2AnLYMVgAEaw5c4B5tZ9loqc76rptP9tErfaKa9cwoEoSVfNzEDed6hJmtsdP FWa4vSMYV3JpOU59m9kxdC76pe9FfeOPpLyuGRZlAwpBZvup3Gt09xk1uVss1mf/OXDL6mhvRkM BetEi1lhof67m5sNY0AcTNkiSM268vWiUBU7yPHMVeO18nKzqJyLlswd3Emzsj/w4KYJZzBuH2k ChVPHMev/dbhz+JsUsfXe4crAooxo5aQVGuklJ6nqa+t6MIu4D+e/Ie8LBHM8cbPmTDcXV/iOiU +4FyoWMr8oznt3oC5R1APyWnRGIuyvMpeEZKGb5+w4g/jPPrFlP9ELyQuECIAdVF1Ip7xWe5V0D TnVXj7upclmgR7ZRpmBmjqu1cP2AuzroTvRA== X-Received: by 2002:a05:6830:314c:b0:7e9:d3aa:e391 with SMTP id 46e09a7af769-7e9e91a5b19mr361337a34.6.1782738592071; Mon, 29 Jun 2026 06:09:52 -0700 (PDT) Received: from ?IPV6:2804:14d:5c54:4d67::1c9d? ([2804:14d:5c54:4d67::1c9d]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7e9aa800350sm8796677a34.25.2026.06.29.06.09.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 29 Jun 2026 06:09:51 -0700 (PDT) Message-ID: Date: Mon, 29 Jun 2026 10:09:45 -0300 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net] netfilter: nf_nat_masquerade: recalculate TCP TS offset when port is randomized To: xietangxin , Pablo Neira Ayuso , Florian Westphal , Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: gaoxingwang , huyizhen , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20260629093408.3927103-1-xietangxin@h-partners.com> Content-Language: en-US From: Victor Nogueira In-Reply-To: <20260629093408.3927103-1-xietangxin@h-partners.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi! On 29/06/2026 06:34, xietangxin wrote: > Problem observed in Kubernetes environments where MASQUERADE target with > --random-fully is configured by default. after commit > 165573e41f2f ("tcp: secure_seq: add back ports to TS offset") TCP short > connection QPS dropped from ~20000 to ~10000. This added source and > destination ports into TS offset calculation. > > However, with MASQUERADE --random-fully, when multiple internal connections > (e.g sport 10000,20000) are mapped to the same external port (e.g 30000), > their TS offsets are calculated as ts_offset(10000) and ts_offset(20000). > If the server reuses the TIME_WAIT slot from the first connection, there is > a chance that ts_offset(20000) < ts_offset(10000), breaking TSval > monotonicity for the same 4-tuple and causing RST packets: > Client -> Server 24870 -> 80 [SYN] TSval=2294041168 > Server -> Client 80 -> 24870 [ACK] TSecr=2846236456 > Client -> Server 24870 -> 80 [RST] Seq=855605690 > > After nf_nat_setup_info() successfully assigns a new randomized > source port, recalculate the TS offset using the new port and > update the SYN packet's TSval accordingly. > > Test results on 4U4G VM with > `./wrk -t8 -c200 -H "Connection: close" -d10s --latency http://5.5.5.5:80` > Before: > random:10712 req/s, random-fully:10986 req/s > After: > random:21463 req/s, random-fully:19181 req/s > > Fixes: 165573e41f2f ("tcp: secure_seq: add back ports to TS offset") > Cc: stable@vger.kernel.org > Closes:https://lore.kernel.org/all/92935c00-e0be-4591-ac44-5978c7804d57@yeah.net/ > Signed-off-by: xietangxin > [...] > + > +static void masquerade_update_tcp_ts_offset(struct nf_conn *ct, struct sk_buff *skb) > +{ > [...] > + > + if (nf_ct_l3num(ct) == NFPROTO_IPV4) > + st = secure_tcp_seq_and_ts_off(net, tuple->src.u3.ip, tuple->dst.u3.ip, > + tuple->src.u.tcp.port, tuple->dst.u.tcp.port); > + else > + st = secure_tcpv6_seq_and_ts_off(net, tuple->src.u3.ip6, > + tuple->dst.u3.ip6, tuple->src.u.tcp.port, tuple->dst.u.tcp.port); This breaks the build when CONFIG_IPV6 is not set. .config:4948:warning: override: reassigning to symbol NET .config:4949:warning: override: reassigning to symbol NET_CORE .config:4950:warning: override: reassigning to symbol NETDEVICES .config:4951:warning: override: reassigning to symbol NETWORK_FILESYSTEMS ERROR: modpost: "secure_tcpv6_seq_and_ts_off" [net/netfilter/nf_nat.ko] undefined! cheers, Victor