Pacote SYN duplicado encaminhado pelo Docker?

1

Estou experimentando uma estranha interação entre um firewall CISCO e meu host Docker conectado a ele: o CISCO marca periodicamente meu host como um invasor SYN e desliga minha porta Ethernet.

Eu tenho executado o tcpdump na filtragem de host para pacotes SYN, e este é um exemplo do padrão que estou experimentando:

20:45:53.863232  In 00:0c:29:67:9f:5b ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.16.23.102.3314: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0
20:45:53.863268 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.17.0.8.3306: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0
20:45:53.863272 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.17.0.8.3306: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0
20:45:53.863306   P 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.34272: Flags [S.], seq 1254244044, ack 2717143177, win 28960, options [mss 1460,sackOK,TS val 679018433 ecr 670292160,nop,wscale 7], length 0
20:45:53.863306  In 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.34272: Flags [S.], seq 1254244044, ack 2717143177, win 28960, options [mss 1460,sackOK,TS val 679018433 ecr 670292160,nop,wscale 7], length 0

Para os registros: trata-se de um bloco isolado, o pacote anterior é de mais de 2 horas antes e o outro após mais de 10 horas.

O host do Docker é 172.16.23.102 e o outro servidor (vamos chamá-lo foo) está no IP 172.16.23.92. Um contêiner executando o mysql está no IP 172.17.0.8 da docker private IP, vamos chamá-lo de mysql.

Agora, se eu estiver interpretando corretamente esse dump:

  1. Foo está iniciando uma conexão com o docker: 3314, que é uma porta exposta ao docker
  2. O Docker encaminha o pacote para o mysql na porta em ponte (o mesmo pacote: mesmo seq, flags, etc.)
  3. O Docker encaminha o pacote novamente sem motivo algum
  4. O mysql responde com o SYN-ACK adequado, duas vezes

Agora, esta manhã, a primeira comunicação registrada pelo mesmo comando tcpdump é esse monstro:

09:13:45.034399  In 00:0c:29:67:9f:5b ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.16.23.102.3314: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034447 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034452 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034455 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034457 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034459 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034461 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034463 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034464 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034466 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034468 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034470 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034472 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034475 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034476 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034478 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034480 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034482 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034484 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034487 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034489 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034491 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034492 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034525   P 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0
09:13:45.034525  In 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0
09:13:45.034540 Out ec:79:01:bd:22:49 ethertype IPv4 (0x0800), length 76: 172.16.23.102.3314 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0

Desta vez o pacote é encaminhado muito vezes, e o container mysql responde apenas duas vezes, e desta vez o SYN-ACK também sai da interface eth0. Isso não aconteceu no despejo anterior, acho que a conexão falhou nesse caso.

Por que o docker está encaminhando pacotes várias vezes? Como posso consertar isso?

Adicionando mais algumas informações úteis para a pergunta.

Linhas úteis de cache ARP para o host do Docker:

172.16.23.92             ether   00:0c:29:67:9f:5b   C                     eth0
172.17.0.8               ether   02:42:ac:11:00:08   C                     docker0

ifconfig para interfaces de ponte do docker:

docker0   Link encap:Ethernet  HWaddr 02:42:ed:33:9c:27
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0

eth0      Link encap:Ethernet  HWaddr ec:79:01:bd:22:49
          inet addr:172.16.23.102  Bcast:172.16.23.255  Mask:255.255.248.0
    
por Federico Bonelli 19.01.2016 / 11:03

0 respostas