set net.ipv4.tcp_tw_recycle=1 to avoid dnat conntrack invalid
The probe connection action before going to time_wait state.
Probe connection
controller pod TCP FLAG SEQ ACK
controller:50538 ---> endpoint:9292 SYN 2707980036 0
controller:50538 <--- endpoint:9292 SYN ACK 1599414185
2707980037
controller:50538 ---> endpoint:9292 ACK 2707980037
1599414186
controller:50538 ---> endpoint:9292 FIN ACK 2707980037
1599414186
controller:50538 <--- endpoint:9292 ACK 1599414186
2707980038
controller:50538 <--- endpoint:9292 FIN ACK 1599414186
2707980038
controller:50538 ---> endpoint:9292 ACK 2707980038
1599414187
And for the curl command connection with same port 50538: it will be
like
controller pod TCP FLAG SEQ ACK
controller:50538 --> service:9292 SYN 2917708674 0
controller:50538 --> endpoint:9292 SYN 2917708674 0
controller:24479 <-- endpoint:9292 SYN ACK 2742336307
2917708675
controller:50538 <-- endpoint:9292 SYN ACK 2742336307
2917708675
controller:50538 --> service:9292 ACK 2707980038
1599414187
controller:50538 --> service:9292 ACK 2707980038
1599414187
controller:50538 --> service:9292 ACK(DROP) 2707980038
1599414187
The last ACK(controller:50538-->service:9292) SEQ and ACK is same as
Probe TIME_WAIT latest ACK’s.
from
https://github.com/torvalds/linux/blob/v3.10/net/ipv4/tcp_ipv4.c#L2002 ,
it only check (des ip , des port, src ip, and src port).Because this is
not
a correct SEQ/ACK , then it is set invalid and then dropped.
If enabling tcp_tw_recycle, the previous socket should be already
closed, then the issue should be gone.
Closes-Bug: 1817936
Change-Id: If6e66d85f08fc99022946fd2e9f4e5756bfb7b2f
Signed-off-by: Sun Austin <austin.sun@intel.com>
171c43dca8