Is this a TFO where the endpoint is on cerowrt, or just a SYN+DATA for a non cerowrt destination?
 
I was looking at the firewall rules, and they are pretty complicated.  Perhaps the SYN+DATA triggers a strange firewall behavior (a loop?)   SYN's are special to firewalls, as we know.
 
-----Original Message-----
From: "Maciej Soltysiak" <maciej@soltysiak.com>
Sent: Friday, January 4, 2013 3:43pm
To: "Dave Taht" <dave.taht@gmail.com>, "Ketan Kulkarni" <ketkulka@gmail.com>
Cc: "Jerry Chu" <hkchu@google.com>, "Eric Dumazet" <edumazet@google.com>, cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] TFO crashes cerowrt 3.7.1-1



Oops, apologies if email was formatted weirdly...


On Fri, Jan 4, 2013 at 9:42 PM, Maciej Soltysiak <[mailto:maciej@soltysiak.com] maciej@soltysiak.com> wrote:

I am seeing something strange here, with polipo related to TFO but also DNS.

When I just took 3.7.1-1 and set my windows 7 laptop to use gw.home.lan:8123 as http proxy it didn't work. What I observed was:
A) after quite a while polipo's response to browser was 504 Host [http://www.osnews.com] www.osnews.com lookup failed: Timeout
b) this error in ssh console: Host [http://osnews.com] osnews.com lookup failed: Timeout (131072)
c) Disabling TFO by adding option useTCPFastOpen 'false' to config 'polipo' 'general' works around the problem
d) Alternatively, you can keep TFO enabled in polipo but change option 'dnsUseGethostbyname' from 'reluctantly' to 'true' (!)

This is very weird, because TFO is TCP and the DNS queries fired off by polipo are UDP:

[mailto:root@OpenWrt:/tmp/log#] root@OpenWrt:/tmp/log# tcpdump -n -v -vv -vvv -x -X -s 1500 -i lo
20:21:56.160245 IP (tos 0x0, ttl 64, id 50129, offset 0, flags [DF], proto UDP (17), length 60)
 127.0.0.1.47304 > 127.0.0.1.53: [bad udp cksum 0xfe3b -> 0xd17f!] 55396+ A? [http://www.osnews.com/] www.osnews.com. (32)
 0x0000:  4500 003c c3d1 4000 4011 78dd 7f00 0001  E..<[mailto:..@.@.x] ..@.@.x.....
 0x0010:  7f00 0001 b8c8 0035 0028 fe3b d864 0100  .......5.(.;.d..
 0x0020:  0001 0000 0000 0000 0377 7777 066f 736e  .........www.osn
 0x0030:  6577 7303 636f 6d00 0001 0001            ews.com.....
20:21:56.160319 IP (tos 0x0, ttl 64, id 50130, offset 0, flags [DF], proto UDP (17), length 60)
 127.0.0.1.47304 > 127.0.0.1.53: [bad udp cksum 0xfe3b -> 0xd164!] 55396+ AAAA? [http://www.osnews.com/] www.osnews.com. (32)
 0x0000:  4500 003c c3d2 4000 4011 78dc 7f00 0001  E..<[mailto:..@.@.x] ..@.@.x.....
 0x0010:  7f00 0001 b8c8 0035 0028 fe3b d864 0100  .......5.(.;.d..
 0x0020:  0001 0000 0000 0000 0377 7777 066f 736e  .........www.osn
 0x0030:  6577 7303 636f 6d00 001c 0001            ews.com.....
20:21:56.169942 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 123)
 127.0.0.1.53 > 127.0.0.1.47304: [bad udp cksum 0xfe7a -> 0x5f73!] 55396 q: A? [http://www.osnews.com/] www.osnews.com. 1/2/0 [http://www.osnews.com/] www.osnews.com. [29m3s] A 74.86.31.159 ns: [http://osnews.com] osnews.com. [29m3s] NS [http://ns2.swelter.net] ns2.swelter.net., [http://osnews.com] osnews.com. [29m3s] NS [http://ns1.swelter.net] ns1.swelter.net. (95)
 0x0000:  4500 007b 0000 4000 4011 3c70 7f00 0001  [mailto:E..%7B..@.@.%3Cp] E..{..@.@.<p....
 0x0010:  7f00 0001 0035 b8c8 0067 fe7a d864 8180  .....5...g.z.d..
 0x0020:  0001 0001 0002 0000 0377 7777 066f 736e  .........www.osn
 0x0030:  6577 7303 636f 6d00 0001 0001 c00c 0001  ews.com.........
 0x0040:  0001 0000 06cf 0004 4a56 1f9f c010 0002  ........JV......
 0x0050:  0001 0000 06cf 0011 036e 7332 0773 7765  .........ns2.swe
 0x0060:  6c74 6572 036e 6574 00c0 1000 0200 0100  lter.net........
 0x0070:  0006 cf00 0603 6e73 31c0 40              ......ns1.@
20:21:56.173901 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 135)
 127.0.0.1.53 > 127.0.0.1.47304: [bad udp cksum 0xfe86 -> 0x8ecb!] 55396 q: AAAA? [http://www.osnews.com/] www.osnews.com. 1/2/0 [http://www.osnews.com/] www.osnews.com. [54m44s] AAAA 2607:f0d0:1002:62::3 ns: [http://osnews.com] osnews.com. [29m3s] NS [http://ns1.swelter.net] ns1.swelter.net., [http://osnews.com] osnews.com. [29m3s] NS [http://ns2.swelter.net] ns2.swelter.net. (107)
 0x0000:  4500 0087 0000 4000 4011 3c64 7f00 0001  [mailto:E.....@.@.%3Cd] E.....@.@.<d....
 0x0010:  7f00 0001 0035 b8c8 0073 fe86 d864 8180  .....5...s...d..
 0x0020:  0001 0001 0002 0000 0377 7777 066f 736e  .........www.osn
 0x0030:  6577 7303 636f 6d00 001c 0001 c00c 001c  ews.com.........
 0x0040:  0001 0000 0cd4 0010 2607 f0d0 1002 0062  ........&......b
 0x0050:  0000 0000 0000 0003 c010 0002 0001 0000  ................
 0x0060:  06cf 0011 036e 7331 0773 7765 6c74 6572  .....ns1.swelter
 0x0070:  036e 6574 00c0 1000 0200 0100 0006 cf00  .net............
 0x0080:  0603 6e73 32c0 4c                        ..ns2.L
This is the only DNS traffic I saw during the attempts. The tcpdumps have udp bad checksum but when I disabled TFO in polipo, the UDP where still bad checksum but they worked.

Really weird.
p.s. UPNP still works for port forwarding negotiation as it did in 3.6.11-4
I still couldn't get the UPNP/SSDP broadcasts (udp to 239.255.255.250) to being forwarded between se00 and sw00/sw10. Last time it worked was ~3.3.8. I'm starting not to question why it doesn't work, I'm starting to wonder why it did work then ;-)

Regards,
Maciej



On Fri, Jan 4, 2013 at 6:33 PM, Dave Taht <[mailto:dave.taht@gmail.com] dave.taht@gmail.com> wrote:

On Fri, Jan 4, 2013 at 9:27 AM, Eric Dumazet <[mailto:edumazet@google.com] edumazet@google.com> wrote:
 > Sorry, could you give us a copy of the panic stack trace ?

I will get a serial console up on a wndr3800 by sunday. (sorry, just
landed in california, am in disarray)

The latest dev build of cero for the wndr3800 and wndr3700v2 is at:

[http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.7.1-1/] http://snapon.lab.bufferbloat.net/~cero2/cerowrt/wndr/3.7.1-1/



--
Dave Täht

Fixing bufferbloat with cerowrt: [http://www.teklibre.com/cerowrt/subscribe.html] http://www.teklibre.com/cerowrt/subscribe.html
 _______________________________________________
Cerowrt-devel mailing list
[mailto:Cerowrt-devel@lists.bufferbloat.net] Cerowrt-devel@lists.bufferbloat.net
[https://lists.bufferbloat.net/listinfo/cerowrt-devel] https://lists.bufferbloat.net/listinfo/cerowrt-devel