# 自检拦截策略下载4M、16M、64M文件的用例不通过 | ID | Creation Date | Assignee | Status | |----|----------------|----------|--------| | OMPUB-1028 | 2023-10-12T11:44:49.000+0800 | 付明卫 | 已关闭 | --- 设备: nfs-tsgx01(10.3.60.7) OS版本:v23.07.18-591aed7 (TSGXNXR620G40R01P0906) 自检执行结果如下: {code:java} test_firewallBypass_ssl ... ok test_firewallIntercept_ssl ... ok test_firewallIntercept_sslCerterrExpired ... ok test_firewallIntercept_sslCerterrSelfsigned ... ok test_firewallIntercept_sslCerterrUntrustedroot ... ok test_proxyRedirect_ssl ... ok test_proxyBlock_ssl ... ok test_proxyReplace_ssl ... ok test_proxyHijack_ssl ... ok test_proxyInsert_ssl ... ok test_proxyRedirect_http ... ok test_proxyBlock_http ... ok test_proxyReplace_http ... ok test_proxyHijack_http ... ok test_proxyInsert_http ... ok test_firewallAllow_http ... ok test_firewallDenyDrop_http ... ok test_firewallDenyReset_http ... ok test_firewallDenyBlock_http ... ok test_firewallAllow_ssl ... ok test_firewallDenyDrop_ssl ... ok test_firewallDenyReset_ssl ... ok test_firewallDenyDrop_dns ... ok test_firewallDenyRedirectA_dns ... ok test_firewallDenyRedirectAAAA_dns ... ok test_firewallDenyRedirectARangeTTL_dns ... ok test_firewallDenyRedirectAAAARangeTTL_dns ... ok test_firewallIntercept_sslDownloadSize1k ... ok test_firewallIntercept_sslDownloadSize4k ... ok test_firewallIntercept_sslDownloadSize16k ... ok test_firewallIntercept_sslDownloadSize64k ... ok test_firewallIntercept_sslDownloadSize256k ... ok test_firewallIntercept_sslDownloadSize1M ... ok test_firewallIntercept_sslDownloadSize4M ... FAIL test_firewallIntercept_sslDownloadSize16M ... FAIL test_firewallIntercept_sslDownloadSize64M ... FAIL test_firewallDenyResetFilterHost_http ... ok test_firewallDenyResetFilterURL_http ... ok test_proxyDenyFilterHost_http ... ok test_proxyDenyFilterURL_http ... ok {code}**fu_mingwei** commented on *2023-10-12T12:01:38.372+0800*: 通过单独执行test_firewallINtercept_sslDownloadSize4M case来复现上述现象,命令如下: * kubectl exec -n tsg-os-system -it dign-client-clxz8 -c dign-client /bin/sh * curl -v [https://testing-download.badssl.selftest.gdnt-cloud.website/resources/4M] --resolve "testing-download.badssl.selftest.gdnt-cloud.website:443:192.0.2.110" -k --output temp 通过iptables -x -v -L KUBE-FORWARD --line-numbers查看发现数据包命中丢包策略。 {code:java} [root@nfs-tsgx01 ~]# iptables -x -v -L KUBE-FORWARD --line-numbers Chain KUBE-FORWARD (1 references) num      pkts      bytes target     prot opt in     out     source               destination          1         123    71318 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID 2           0        0 ACCEPT     all  --  any    any     anywhere             anywhere             /* kubernetes forwarding rules */ mark match 0x4000/0x4000 3       22517 102350860 ACCEPT     all  --  any    any     anywhere             anywhere             /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED {code} 通过命令conntrack -L | grep 192.0.2发现自检的tcp连接处于time_wait状态。 {code:java} [root@nfs-tsgx01 ~]# conntrack -L | grep 192.0.2 tcp      6 115 TIME_WAIT src=192.0.2.218 dst=192.0.2.110 sport=52558 dport=443 src=192.0.2.110 dst=192.0.2.218 sport=443 dport=52558 [ASSURED] mark=0 use=1 conntrack v1.4.4 (conntrack-tools): 1041 flow entries have been shown. {code}   --- **fu_mingwei** commented on *2023-10-12T12:49:37.870+0800*: 解决方法1: 执行命令: * iptables -I FORWARD  -d 192.0.2.0/24  -j ACCEPT 在FORWARD链中插入接收目的网络为192.0.2.0/24包的规则。 解决方法2: 执行命令: * iptables -t raw -I PREROUTING -i br_dign_c -j NOTRACK * iptables -t raw -I PREROUTING -i br_dign_s -j NOTRACK --- **fu_mingwei** commented on *2023-10-12T18:46:46.076+0800*: 上述的解决方法2已经在NetworkManager dispatcher中添加相应脚本执行。 通过排查Networkmanager dispatcher脚本是否执行的过程中发现在描述中机器上NetworkManager-dispatcher service为disable状态。 !image-2023-10-12-18-46-37-480.png! 通知执行命令mount /dev/sda4 /tmp/rootfs发现NetworkManger-dispatcher的状态是enable !image-2023-10-12-19-44-57-743.png! 通知查看os的overlay目录发现dbus-org.freedesktop.nm-dispatcher.service存在 !image-2023-10-12-19-48-25-708.png! --- **fu_mingwei** commented on *2023-10-12T20:14:50.909+0800*: 结论: 上述问题是由于未添加以下iptables规则而导致的:{{{}iptables -t raw -I PREROUTING -i br_dign_c -j NOTRACK{}}}和{{{}iptables -t raw -I PREROUTING -i br_dign_c -j NOTRACK{}}}。 添加上述iptables规则的目的是为了防止conntrack将代理修复出来的两个连接识别为同一个conntrack信息。修复出来的两个连接在关闭时并不同时,这导致了conntrack将没有同时关闭的两条连接误认为是TIME_WAIT状态,并被K8S添加的iptables规则丢弃。 上述iptables规则是由NetworkManger-dispatcher服务添加的。然而,由于存在NetworkManger-dispatcher服务的残留文件等原因,导致NetworkManger-dispatcher服务处于禁用状态。当NetworkManger-dispatcher服务处于禁用状态时,导致上述iptables规则无法成功添加。   --- ## Attachments **45780/image-2023-10-12-18-46-37-480.png** --- **45792/image-2023-10-12-19-44-57-743.png** --- **45793/image-2023-10-12-19-48-25-708.png** ---