Re: Occasional weird TCP behavior

To: netbsd-users%netbsd.org@localhost
Subject: Re: Occasional weird TCP behavior
From: Brian Marcotte <marcotte%panix.com@localhost>
Date: Tue, 27 Aug 2024 19:22:36 -0400 (EDT)

It was suggested I run tcpdump on both client and server. I've figured
this out.

On the client machine, I saw this:

  client      server
  ------      --------
  SYN
              RST,ACK  ***
              SYN,ACK
  RST

That "RST,ACK" was not actually sent from the server, it was sent from a
third host.

The Linux dom0 uses the "bridge" device which acts similar to a switch.
It has a MAC address table so it knows what port to send the packet.
Like a switch, if the MAC is not known, the packet will be sent to all
ports. This is why the third host saw the first SYN packet.

On that third host, this was in /etc/npf.conf:

      # Allow ssh only from selected hosts.
      pass in final proto tcp from 10.0.1.0/24 to any port 22
      block return-rst in final proto tcp from any to any port 22
            ^^^^^^^^^^

The third host sent the RST to the client even though the packet was not
destined for it. It even responded with the server's IP address.

So, should NPF work like this? The fact that it responded with an address
it didn't own seems especially unusual.

--
- Brian

Follow-Ups:
- Re: Occasional weird TCP behavior
  - From: Greg Troxel

Prev by Date: Re: Occasional weird TCP behavior
Next by Date: Re: Occasional weird TCP behavior
Previous by Thread: Re: Occasional weird TCP behavior
Next by Thread: Re: Occasional weird TCP behavior
Indexes:

Home | Main Index | Thread Index | Old Index