-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
defence_tcp_drop关闭的情况下vip的部分tcp流量到了kni接口 #719
Comments
从你给出的抓包截图上看,KNI 收到的包都是来自 client 的 RST 包,这有点像异常攻击。我用你上面给出的复现方法没有复现这个问题,KNI 接口流量只有 10kpps 左右。 |
我模拟环境打了400kpss,也只是出现了
这个场景是 |
场景描述
fullnat
模式syn flood
的包,部分包全部透传到kni
接口,大概300k pps。导致BGP中断,健康检查出现中断的现象。从代码看到vip:vport
的流量不应该走到kni
接口才对复现方法
dpvs.conf
关闭defence_tcp_drop
,测试1.6.1
和1.8.4
都可以复现。1.7版本开始默认关闭,这个集群使用的是1.8.4
版本synproxy
The text was updated successfully, but these errors were encountered: