UDP SndbufErrors & ENOBUFS

最近一部分服务器上，遇到UDP发包速率太高会出现大量丢包的情况。这个丢包不是发生在中间网络设备上丢，也不在接收方上，而是发生在发送方kernel中。为什么会知道是在kernel丢的？因为用户空间程序的统计的发包量，跟内核统计的有很大差距，所以可以肯定用户空间把包交给内核后，内核并没有全发出去。

通过kernel的snmp，发现UDP的SndbufErrors计数器有很高的值：

root@Server:~# grep "^Udp:" /proc/net/snmp | column -t
Udp:  InDatagrams  NoPorts  InErrors  OutDatagrams  RcvbufErrors  SndbufErrors  InCsumErrors  IgnoredMulti
Udp:  52452374     5805     2117      247991616     2117          6669891       0             1

root@Server:~# grep "^Udp:" /proc/net/snmp | column -t

Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti

Udp: 52452374 5805 2117 247991616 2117 6669891 0 1

这个计数器是在哪、什么情况下增长的？翻了一下kernel的源码，在net/ipv4/udp.c中找到两个，一个在udp_sendmsg()中：

...
int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
{
    ...
	/*
	 * ENOBUFS = no kernel mem, SOCK_NOSPACE = no sndbuf space.  Reporting
	 * ENOBUFS might not be good (it's not tunable per se), but otherwise
	 * we don't have a good statistic (IpOutDiscards but it can be too many
	 * things).  We could add another new stat but at least for now that
	 * seems like overkill.
	 */
	if (err == -ENOBUFS || test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {
		UDP_INC_STATS(sock_net(sk),
			      UDP_MIB_SNDBUFERRORS, is_udplite);
	}
	return err;
    ...
}
...

...

int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)

{

...

* ENOBUFS = no kernel mem, SOCK_NOSPACE = no sndbuf space. Reporting

* ENOBUFS might not be good (it's not tunable per se), but otherwise

* we don't have a good statistic (IpOutDiscards but it can be too many

* things). We could add another new stat but at least for now that

* seems like overkill.

if (err == -ENOBUFS || test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {

UDP_INC_STATS(sock_net(sk),

UDP_MIB_SNDBUFERRORS, is_udplite);

}

return err;

...

}

...

另一个在udp_send_skb()中：

...
static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4,
			struct inet_cork *cork)
{
    ...
send:
	err = ip_send_skb(sock_net(sk), skb);
	if (err) {
		if (err == -ENOBUFS && !inet->recverr) {
			UDP_INC_STATS(sock_net(sk),
				      UDP_MIB_SNDBUFERRORS, is_udplite);
			err = 0;
		}
	} else
		...
	return err;
}
...

...

static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4,

struct inet_cork *cork)

{

...

send:

err = ip_send_skb(sock_net(sk), skb);

if (err) {

if (err == -ENOBUFS && !inet->recverr) {

UDP_INC_STATS(sock_net(sk),

UDP_MIB_SNDBUFERRORS, is_udplite);

err = 0;

}

} else

...

return err;

}

...

在udp_sendmsg()的流程中，是有流向udp_send_skb()的，另外，在udp_send_skb()调用的ip_send_skb()中，有递增另一个计数器OutDiscards的代码：

...
int ip_send_skb(struct net *net, struct sk_buff *skb)
{
	int err;

	err = ip_local_out(net, skb->sk, skb);
	if (err) {
		if (err > 0)
			err = net_xmit_errno(err);
		if (err)
			IP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);
	}

	return err;
}
...

...

int ip_send_skb(struct net *net, struct sk_buff *skb)

{

int err;

err = ip_local_out(net, skb->sk, skb);

if (err) {

if (err > 0)

err = net_xmit_errno(err);

if (err)

IP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);

}

return err;

}

...

再查看一下snmp中的IP计数器，发现OutDiscards的值跟SndbufErrors非常接近：

root@server:~# grep -E "^Udp:|^Ip:" /proc/net/snmp | column -t
Ip:   Forwarding   DefaultTTL  InReceives  InHdrErrors   InAddrErrors  ForwDatagrams  InUnknownProtos  InDiscards    InDelivers  OutRequests  OutDiscards  OutNoRoutes  ReasmTimeout  ReasmReqds  ReasmOKs  ReasmFails  FragOKs  FragFails  FragCreates
Ip:   1            64          125551038   0             0             30477602       0                0             94936817    332998032    6671194      29           0             0           0         0           0        1          0
Udp:  InDatagrams  NoPorts     InErrors    OutDatagrams  RcvbufErrors  SndbufErrors   InCsumErrors     IgnoredMulti
Udp:  52453984     5808        2117        247992185     2117          6669891        0                1

root@server:~# grep -E "^Udp:|^Ip:" /proc/net/snmp | column -t

Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates

Ip: 1 64 125551038 0 0 30477602 0 0 94936817 332998032 6671194 29 0 0 0 0 0 1 0

Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti

Udp: 52453984 5808 2117 247992185 2117 6669891 0 1

所以这里可以肯定这个计数器的增长是发生在udp_send_skb()。

按照代码中的注释，ENOBUFS代表no kernel mem，首先，可以排除是send buffer不足的问题，因为如果send buffer满了，相关写调用会被阻塞或者返回EWOULDBLOCK；另外，net_xmit_errno()这个宏，会把非NET_XMIT_CN的错误都转成ENOBUFS：

/* NET_XMIT_CN is special. It does not guarantee that this packet is lost. It
 * indicates that the device will soon be dropping packets, or already drops
 * some packets of the same priority; prompting us to send less aggressively. */
#define net_xmit_eval(e)	((e) == NET_XMIT_CN ? 0 : (e))
#define net_xmit_errno(e)	((e) != NET_XMIT_CN ? -ENOBUFS : 0)

/* NET_XMIT_CN is special. It does not guarantee that this packet is lost. It

* indicates that the device will soon be dropping packets, or already drops

* some packets of the same priority; prompting us to send less aggressively. */

#define net_xmit_eval(e) ((e) == NET_XMIT_CN ? 0 : (e))

#define net_xmit_errno(e) ((e) != NET_XMIT_CN ? -ENOBUFS : 0)

所以这里ip_local_out()返回的很可能并不是ENOBUFS。

ip_local_out()后有函数指针，不太好看出来实际调用的是哪个函数，用perf看了下调用栈，后面涉及的函数还是挺多的，懒得一个个翻：

找了个更直接的工具dropwatch：

root@server:~# dropwatch -l kas
Initializing kallsyms db
dropwatch> start
Enabling monitoring...
Kernel monitoring activated.
Issue Ctrl-C to stop monitoring
...
917 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]
129 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]
2108 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]
1499 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]
4960 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]
336 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]
...

root@server:~# dropwatch -l kas

Initializing kallsyms db

dropwatch> start

Enabling monitoring...

Kernel monitoring activated.

Issue Ctrl-C to stop monitoring

...

917 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]

129 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]

2108 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]

1499 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]

4960 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]

336 drops at kfree_skb_list+1d (0xffffffff923211ed) [software]

...

其实结果还是不算太直接，不过可以确定丢包的时候会调用kfree_skb_list()，在调用栈的函数中，顺利找到了对这个函数的调用，在net/core/dev.c中：

...
static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
				 struct net_device *dev,
				 struct netdev_queue *txq)
{
	...
	if (q->flags & TCQ_F_NOLOCK) {
		rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
		qdisc_run(q);

		if (unlikely(to_free))
			kfree_skb_list(to_free);
		return rc;
	}
	if ... {
	...
	} else {
		rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
	}
	...
	if (unlikely(to_free))
		kfree_skb_list(to_free);
	...
}
...

...

static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,

struct net_device *dev,

struct netdev_queue *txq)

{

...

if (q->flags & TCQ_F_NOLOCK) {

rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;

qdisc_run(q);

if (unlikely(to_free))

kfree_skb_list(to_free);

return rc;

}

if ... {

...

} else {

rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;

}

...

if (unlikely(to_free))

kfree_skb_list(to_free);

...

}

...

到这里算是找到了问题出在哪了，q->enqueue()调用的是qdisc部分的机制，赶紧看了下qdisc的统计数据：

root@server:~# tc -s qdisc
...
qdisc fq 0: dev eno1 root refcnt 2 limit 10000p flow_limit 100p buckets 1024 orphan_mask 1023 quantum 3028b initial_quantum 15140b low_rate_threshold 550Kbit refill_delay 40.0ms 
 Sent 365865434072 bytes 306319714 pkt (dropped 6674253, overlimits 0 requeues 19) 
 backlog 0b 0p requeues 19
  flows 1121 (inactive 1119 throttled 0)
  gc 19508 highprio 22 throttled 1045756 latency 13.442us flows_plimit 6674253
...

root@server:~# tc -s qdisc

...

qdisc fq 0: dev eno1 root refcnt 2 limit 10000p flow_limit 100p buckets 1024 orphan_mask 1023 quantum 3028b initial_quantum 15140b low_rate_threshold 550Kbit refill_delay 40.0ms

Sent 365865434072 bytes 306319714 pkt (dropped 6674253, overlimits 0 requeues 19)

backlog 0b 0p requeues 19

flows 1121 (inactive 1119 throttled 0)

gc 19508 highprio 22 throttled 1045756 latency 13.442us flows_plimit 6674253

...

统计中的dropped计数器与SndbufErrors的值非常接近，eno1的队列是fq，fq的源码在net/sched/sch_fq.c中：

...
static int fq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
		      struct sk_buff **to_free)
{
	...
	if (unlikely(sch->q.qlen >= sch->limit))
		return qdisc_drop(skb, sch, to_free);
	...
	if (unlikely(f->qlen >= q->flow_plimit && f != &q->internal)) {
		q->stat_flows_plimit++;
		return qdisc_drop(skb, sch, to_free);
	}
	...
}
...

...

static int fq_enqueue(struct sk_buff *skb, struct Qdisc *sch,

struct sk_buff **to_free)

{

...

if (unlikely(sch->q.qlen >= sch->limit))

return qdisc_drop(skb, sch, to_free);

...

if (unlikely(f->qlen >= q->flow_plimit && f != &q->internal)) {

q->stat_flows_plimit++;

return qdisc_drop(skb, sch, to_free);

}

...

}

...

如果超出了flow_limit的限制，会增加flows_plimit计数器的值，从统计数据中可以看到flows_plimit计数器与dropped一致，到这里又可以肯定，是排队的包超出了flow_limit，所以无法入队的包都被丢弃了。

前面的tc命令看到flow_limit只有100，系统设置的send buffer是212992，包的MTU是1400，212992 / 1400 ≈ 152，的确会超出100，于是调大到200：

root@server:~# tc qdisc add dev eno1 root fq limit 20000 flow_limit 200

1	root@server:~# tc qdisc add dev eno1 root fq limit 20000 flow_limit 200

再次运行UDP协议的程序发送数据，丢包率恢复正常，查看qdisc的统计，dropped计数器一直为0，问题解决！

Nginx ssl_preread传递客户端IP

ssl_preread是基于L4的反代方案，TLS SNI握手时客户端会提供域名，所以可以让Nginx在无需完成TLS握手的情况下，就根据域名进行后端服务器的选择。简单来讲，你只需要给后端服务器配置一个SSL证书，而提供反代功能的Nginx则无需配置。文档见此：http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

因为这是L4反代，所以通过“proxy_set_header”传递客户端IP的方法是行不通的。其实传递客户端IP的解决办法跟上一篇文章类似：L4(传输层)IP透明反向代理的实现(传递客户端真实IP)，nginx也是实现了IP_TRANSPARENT的：https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy#ip-transparency，所以，在server里面加上下面一行：

proxy_bind $remote_addr transparent;

1	proxy_bind $remote_addr transparent;

然后按前一篇文章的思路，对路由表进行配置即可。

提醒一下，ssl_preread是配置在stream block下的，放在别的地方，会提示：

nginx: [emerg] "ssl_preread" directive is not allowed here in /etc/nginx/nginx.conf

1	nginx: [emerg] "ssl_preread" directive is not allowed here in /etc/nginx/nginx.conf

所以正确的nginx.conf结构应该如下：

...
http {
    ...
    server {
        ...
    }
    server {
        ...
    }
    ...
}
...
stream {
    map $ssl_preread_server_name $name {
        backend.example.com      backend;
        default                  backend2;
    }

    upstream backend {
        server 192.168.0.1:12345;
        server 192.168.0.2:12345;
    }

    upstream backend2 {
        server 192.168.0.3:12345;
        server 192.168.0.4:12345;
    }

    server {
        listen      12346;
        proxy_pass  $name;
        proxy_bind $remote_addr transparent;
        ssl_preread on;
    }
}
...

...

http {

...

server {

...

}

server {

...

}

...

}

...

stream {

map $ssl_preread_server_name $name {

backend.example.com backend;

default backend2;

}

upstream backend {

server 192.168.0.1:12345;

server 192.168.0.2:12345;

}

upstream backend2 {

server 192.168.0.3:12345;

server 192.168.0.4:12345;

}

server {

listen 12346;

proxy_pass $name;

proxy_bind $remote_addr transparent;

ssl_preread on;

}

...

另外，如果在stream中listen了443，http中就无法listen 443了，启动nginx会提示：

nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

1	nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)

可以让http中的server listen loopback地址的另一个端口，让stream中的server proxy_pass这个loopback地址的端口，例如127.0.2.1:8443，然后通过127.0.2.1做策略路由：

...
http {
    ...
    server {
        ...
        listen 127.0.2.1:8443 ssl http2;

        port_in_redirect off; # 重要：阻止nginx重定向到此Server listen的端口
        ...
    }
    server {
        ...
    }
    ...
}
...
stream {
    map $ssl_preread_server_name $name {
        localbackend.com         local_backend; # 这里指定使用http中的server
        backend.example.com      backend;
        default                  backend2;
    }

    upstream backend {
        server 192.168.0.1:12345;
        server 192.168.0.2:12345;
    }

    upstream backend2 {
        server 192.168.0.3:12345;
        server 192.168.0.4:12345;
    }

    # 对应http中的server
    upstream local_backend {
        server 127.0.2.1:443;
    }

    server {
        listen      443;
        proxy_pass  $name;
        proxy_bind $remote_addr transparent; # 加了这个才能传递客户端IP
        ssl_preread on;
    }
}
...

...

http {

...

server {

...

listen 127.0.2.1:8443 ssl http2;

port_in_redirect off; # 重要：阻止nginx重定向到此Server listen的端口

...

}

server {

...

}

...

}

...

stream {

map $ssl_preread_server_name $name {

localbackend.com local_backend; # 这里指定使用http中的server

backend.example.com backend;

default backend2;

}

upstream backend {

server 192.168.0.1:12345;

server 192.168.0.2:12345;

}

upstream backend2 {

server 192.168.0.3:12345;

server 192.168.0.4:12345;

}

# 对应http中的server

upstream local_backend {

server 127.0.2.1:443;

}

server {

listen 443;

proxy_pass $name;

proxy_bind $remote_addr transparent; # 加了这个才能传递客户端IP

ssl_preread on;

}

...

然后配置策略路由：

root@nginx:~# ip rule add from 127.0.2.1 lookup 61
root@nginx:~# ip route add local 0.0.0.0/0 dev lo table 61

1 2	root@nginx:~# ip rule add from 127.0.2.1 lookup 61 root@nginx:~# ip route add local 0.0.0.0/0 dev lo table 61

L4(传输层)IP透明反向代理的实现(传递客户端真实IP)

这种需求，一般来说，会在应用层加个标记标明客户端的IP，例如说HTTP，就是添加个请求头的事情。但并不是所有服务器程序、协议你都能这样下手。所以能不能在不对协议和服务器程序本身做任何改动的情况下，传递客户端的IP呢？

最直接的方法应该就是，把L3的源IP改掉，没对协议进行任何改动，对上层完全透明。先来看看改了L3的source IP会出现什么问题：

上图中的A是个L4负载均衡，Router会把来自Internet的客户端请求转发给A，A再根据策略转发到B、C或D。

假设这时A选择了B，A把请求转发给B时，把L3的源IP改成了客户端的IP，那B收到数据包后，根据B系统上的路由表，回复的包会直接经switch交给router送出Internet，也就是说响应的内容不会经过A送回给客户端。听起来好像没什么问题，还省得A耗费资源转发响应内容，不过TCP需要三次握手，客户端跟A握手成功后，A还需要跟B握手：A这时以客户端的IP向B发出SYN，B收到的SYN后，响应一个目的地IP是客户端的SYN ACK，这个SYN ACK是直接由router送出Internet的，根本不会送到A，所以A跟B是无法成功握手的，那客户端的请求也自然无法送达B。

UDP虽然不用握手，但A转发到B用的UDP源端口不一定跟客户端到A的一样，所以客户端不一定能正常接收到B响应的UDP包。要解决这个问题，就要做到请求从哪转发过来的，响应就得送回哪去，既然是从A来的，就送回给A。

A虽然改了送往B的包的源IP，但即使B把响应送回A了，默认情况下，A收到数据包的目的地IP不是系统已绑定的IP时，也就是非送往本地的数据包，kernel只会选择转发或者丢弃，这种情况下，A跟B也是无法握手成功的，所以，这里还要解决的就是，让A对来自B的非本地数据包，当作本地数据包处理。

到这里，实现这个L4 IP透明代理要解决的问题就很清晰了：

反向代理服务器修改L3源IP
被代理服务器把响应转发回给反向代理服务器
反向代理服务器处理来自被代理服务器的非本地数据包

1. 修改L3源IP

Linux的kernel，有一个IP_TRANSPARENT的选项：

       IP_TRANSPARENT (since Linux 2.6.24)
              Setting this boolean option enables transparent proxying
              on this socket.  This socket option allows the calling
              application to bind to a nonlocal IP address and operate
              both as a client and a server with the foreign address as
              the local endpoint.  NOTE: this requires that routing be
              set up in a way that packets going to the foreign address
              are routed through the TProxy box (i.e., the system
              hosting the application that employs the IP_TRANSPARENT
              socket option).  Enabling this socket option requires
              superuser privileges (the CAP_NET_ADMIN capability).

              TProxy redirection with the iptables TPROXY target also
              requires that this option be set on the redirected socket.

IP_TRANSPARENT (since Linux 2.6.24)

Setting this boolean option enables transparent proxying

on this socket. This socket option allows the calling

application to bind to a nonlocal IP address and operate

both as a client and a server with the foreign address as

the local endpoint. NOTE: this requires that routing be

set up in a way that packets going to the foreign address

are routed through the TProxy box (i.e., the system

hosting the application that employs the IP_TRANSPARENT

socket option). Enabling this socket option requires

superuser privileges (the CAP_NET_ADMIN capability).

TProxy redirection with the iptables TPROXY target also

requires that this option be set on the redirected socket.

简单来说，这个选项允许应用程序的socket，绑定一个操作系统没有绑定的IP，并且以那个IP对外通讯。

所以，A的反向代理程序，通过这个选项让socket绑定客户端的IP，就能以客户端的IP与B进行通讯：

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <memory.h>

static const int one = 1;

int main(int argc, char *argv[]) {
    int socket_fd = socket(AF_INET, SOCK_STREAM, 0);
    setsockopt(socket_fd, SOL_IP, IP_TRANSPARENT, &one, sizeof(one));

    // 以IP 192.168.2.2作为本地IP绑定socket，端口自动分配
    struct sockaddr_in bind_addr;
    bzero(&bind_addr, sizeof(bind_addr));
    bind_addr.sin_family = AF_INET;
    bind_addr.sin_port = htons(0);
    inet_pton(AF_INET, "192.168.2.2", &bind_addr.sin_addr);
    bind(socket_fd, (void *) &bind_addr, sizeof(bind_addr));

    // 连接到192.168.1.20:80
    struct sockaddr_in server_addr;
    bzero(&server_addr, sizeof(server_addr));
    server_addr.sin_family = AF_INET;
    server_addr.sin_port = htons(80);
    inet_pton(AF_INET, "192.168.1.20", &server_addr.sin_addr);
    if (connect(socket_fd, (void *) &server_addr, sizeof(server_addr)) < 0) {
        close(socket_fd);
        perror("connect()");
        return 1;
    }
    printf("connection established\n");
    close(socket_fd);

    return 0;
}

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <memory.h>

static const int one = 1;

int main(int argc, char *argv[]) {

int socket_fd = socket(AF_INET, SOCK_STREAM, 0);

setsockopt(socket_fd, SOL_IP, IP_TRANSPARENT, &one, sizeof(one));

// 以IP 192.168.2.2作为本地IP绑定socket，端口自动分配

struct sockaddr_in bind_addr;

bzero(&bind_addr, sizeof(bind_addr));

bind_addr.sin_family = AF_INET;

bind_addr.sin_port = htons(0);

inet_pton(AF_INET, "192.168.2.2", &bind_addr.sin_addr);

bind(socket_fd, (void *) &bind_addr, sizeof(bind_addr));

// 连接到192.168.1.20:80

struct sockaddr_in server_addr;

bzero(&server_addr, sizeof(server_addr));

server_addr.sin_family = AF_INET;

server_addr.sin_port = htons(80);

inet_pton(AF_INET, "192.168.1.20", &server_addr.sin_addr);

if (connect(socket_fd, (void *) &server_addr, sizeof(server_addr)) < 0) {

close(socket_fd);

perror("connect()");

return 1;

}

printf("connection established\n");

close(socket_fd);

return 0;

}

在A上编译运行上面的源码，抓包可以看到A在以192.168.2.2作为源IP向192.168.1.20:80发送SYN，ss或者netstat也可以看到程序的local IP是192.168.2.2，而A系统本身是没有绑定192.168.2.2的：

目前来说A还是无法与B成功握手的，抓包也只会抓到A一直在向B发送SYN，晚一点还会输出”connect(): Connection timed out”。

2. 让B把响应送回给A

在B上抓包，可以看到B会收到来自2.2的SYN，也会响应SYN ACK，但是会收到2.2的RST：

如何让B辨别来自A的包，并把响应送回A呢？

2.1 选择一：根据B的源IP和端口做策略路由

给B分配多个IP，例如默认用1.19出网，1.20专门给A访问用，可以用这种方法。如果只有一个IP，不建议用这种方法，因为这样B会把所有从被代理的端口发出的数据包都交给A，如果请求不是转发自A的，就无法正常处理。

# 以192.168.1.20:80发出的数据包，使用路由表60的规则
root@B:~# ip rule add from 192.168.1.20 sport 80 lookup 60
# 默认转发给192.168.1.6，也就是A
root@B:~# ip route add default via 192.168.1.6 table 60

# 以192.168.1.20:80发出的数据包，使用路由表60的规则

root@B:~# ip rule add from 192.168.1.20 sport 80 lookup 60

# 默认转发给192.168.1.6，也就是A

root@B:~# ip route add default via 192.168.1.6 table 60

因为A向B发出的请求的目的IP是1.20，所以B发出响应的源IP一定是1.20。而不是对A的响应，B默认使用1.19，不会发送给A。

2.2 选择二：通过mark做策略路由

例如可以通过mac地址识别来自A的包，并且做个标记：

# 查看A的mac地址
root@B:~# cat /proc/net/arp | grep "192.168.1.6"
192.168.1.6      0x1         0x2         52:54:00:91:33:33     *        ens192

# 把来自52:54:00:91:33:33的地址标记为60
root@B:~# iptables -t mangle -A INPUT -m mac --mac-source 52:54:00:91:33:33 -j MARK --set-mark 60
root@B:~# iptables -t mangle -A INPUT -j CONNMARK --save-mark
# 重新标记响应数据包
root@B:~# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

# 根据mark做策略路由
root@B:~# ip rule add fwmark 60 lookup 60
root@B:~# ip route add default via 192.168.1.6 table 60

# 查看A的mac地址

root@B:~# cat /proc/net/arp | grep "192.168.1.6"

192.168.1.6 0x1 0x2 52:54:00:91:33:33 * ens192

# 把来自52:54:00:91:33:33的地址标记为60

root@B:~# iptables -t mangle -A INPUT -m mac --mac-source 52:54:00:91:33:33 -j MARK --set-mark 60

root@B:~# iptables -t mangle -A INPUT -j CONNMARK --save-mark

# 重新标记响应数据包

root@B:~# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

# 根据mark做策略路由

root@B:~# ip rule add fwmark 60 lookup 60

root@B:~# ip route add default via 192.168.1.6 table 60

3. 让A处理非本地数据包

第二步的策略路由做好后，A上抓包，可以看到B的SYN ACK送回来了，但是A没有响应ACK：

因为A没有绑定192.168.2.2这个IP，前面提到过kernel是不会对非本地的数据包做出响应的。

哪些目的地IP作为要本地IP处理，是可以在路由表上指定的，可以把0.0.0.0/0，也就是任何IP都视为本地IP处理，当然不能加在默认路由表上，这样就无法对外通讯了，需要做策略路由。

# 匹配来自B，且源端口是80的数据包
root@A:~# ip rule add from 192.168.1.20 sport 80 lookup 60
root@A:~# ip route add local 0.0.0.0/0 dev lo table 60

# 匹配来自B，且源端口是80的数据包

root@A:~# ip rule add from 192.168.1.20 sport 80 lookup 60

root@A:~# ip route add local 0.0.0.0/0 dev lo table 60

上面有一个路由规则：“local 0.0.0.0/0”，意思是任何IP都作为本地IP处理，注意规则是加在表60的，符合条件的数据包，才会应用这个表。

第三步的规则做好后，再次运行ip_transparent，就可以看到立刻输出“connection established”了：

4. IP透明反向代理

上面的ip_transparent只是测试A和B之间的握手，并不能作为客户端与B之间通讯的代理，这里用Go实现了一个比较简单的反向代理：

package main

import (
	"fmt"
	"io"
	"log"
	"net"
	"os"
	"strconv"
	"syscall"
)

const network = "tcp"
const bufferSize = 4096

var destinationIP *[4]byte
var destinationPort int

func main() {
	parseDestination()
	listen, err := net.Listen(network, os.Args[1])
	if err != nil {
		log.Println(err)
		os.Exit(1)
	}
	log.Printf("waiting for incomming connection...")
	defer listen.Close()

	for {
		conn, err := listen.Accept()
		if err != nil {
			log.Println(err)
			continue
		}
		log.Printf("client %s accepted", conn.RemoteAddr().String())
		go clientHandler(conn, log.New(os.Stdout, "[" + conn.RemoteAddr().String() + "]", log.Ldate | log.Ltime))
	}
}

func clientHandler(client net.Conn, logger *log.Logger) {
	defer client.Close()
	server, err := createTransparentSocket(client, os.Args[2])
	if err != nil {
		logger.Println(err)
		return
	}
	defer server.Close()

	streamCopy := func(dst io.Writer, src io.Reader, direction string, logger *log.Logger) {
		n, _ := read2Write(dst, src)
		logger.Printf("%s %d bytes copied", direction, n)
		client.Close()
		server.Close()
	}

	go streamCopy(client, server, "to client", logger)
	streamCopy(server, client, "from client", logger)
}

func createTransparentSocket(client net.Conn, destination string) (net.Conn, error) {
	var socketFD int
	var file *os.File
	var server net.Conn
	var errorPrefix string
	var clientIP *net.TCPAddr
	var clientIPBytes [4]byte
	var err error
	var ok bool

	// Create transparent socket
	if socketFD, err = syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_TCP); err != nil {
		errorPrefix = "syscall.socket()"
		goto ReturnError
	}
	if err = syscall.SetsockoptInt(socketFD, syscall.SOL_IP, syscall.IP_TRANSPARENT, 1); err != nil {
		errorPrefix = "syscall.SetsockoptInt()"
		goto CloseSocket
	}

	if clientIP, ok = client.RemoteAddr().(*net.TCPAddr); ok == false {
		err = fmt.Errorf("unsupport client type")
		errorPrefix = "client.RemoteAddr().(*net.IPAddr)"
		goto CloseSocket
	}
	copy(clientIPBytes[:], clientIP.IP.To4())

	// Use client's IP address as socket local address
	if err = syscall.Bind(socketFD, &syscall.SockaddrInet4{
		Port: 0, // Port auto assignment
		Addr: clientIPBytes,
	}); err != nil {
		errorPrefix = "syscall.Bind()"
		goto CloseSocket
	}

	// Connect to server
	if err = syscall.Connect(socketFD, &syscall.SockaddrInet4{
		Port: destinationPort,
		Addr: *destinationIP,
	}); err != nil && err.Error() != "operation now in progress" {
		errorPrefix = "syscall.Connect()"
		goto CloseSocket
	}

	file = os.NewFile(uintptr(socketFD), destination)
	server, err = net.FileConn(file)
	if err == nil {
		syscall.Close(socketFD) // net.FileConn() has already duplicated this file descriptor
		return server, nil
	}
	errorPrefix = "net.FileConn()"
CloseSocket:
	syscall.Close(socketFD)
ReturnError:
	return nil, fmt.Errorf("%s: %s", errorPrefix, err)
}

func parseDestination() {
	var err error
	var host, port string
	if host, port, err = net.SplitHostPort(os.Args[2]); err != nil {
		println(err)
		os.Exit(1)
	}
	ip := net.ParseIP(host).To4()
	destinationIP = &[4]byte{ip[0], ip[1], ip[2], ip[3]}
	destinationPort, err = strconv.Atoi(port)
	if err != nil {
		println(err)
		os.Exit(1)
	}
}

/**
from: https://github.com/xtaci/kcptun/blob/master/generic/copy.go
*/
func read2Write(dst io.Writer, src io.Reader) (written int64, err error) {
	// If the reader has a WriteTo method, use it to do the copy.
	// Avoids an allocation and a copy.
	if wt, ok := src.(io.WriterTo); ok {
		return wt.WriteTo(dst)
	}
	// Similarly, if the writer has a ReadFrom method, use it to do the copy.
	if rt, ok := dst.(io.ReaderFrom); ok {
		return rt.ReadFrom(src)
	}

	// fallback to standard io.CopyBuffer
	buf := make([]byte, bufferSize)
	return io.CopyBuffer(dst, src, buf)
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

package main

import (

"fmt"

"io"

"log"

"net"

"os"

"strconv"

"syscall"

)

const network = "tcp"

const bufferSize = 4096

var destinationIP *[4]byte

var destinationPort int

func main() {

parseDestination()

listen, err := net.Listen(network, os.Args[1])

if err != nil {

log.Println(err)

os.Exit(1)

}

log.Printf("waiting for incomming connection...")

defer listen.Close()

for {

conn, err := listen.Accept()

if err != nil {

log.Println(err)

continue

}

log.Printf("client %s accepted", conn.RemoteAddr().String())

go clientHandler(conn, log.New(os.Stdout, "[" + conn.RemoteAddr().String() + "]", log.Ldate | log.Ltime))

}

func clientHandler(client net.Conn, logger *log.Logger) {

defer client.Close()

server, err := createTransparentSocket(client, os.Args[2])

if err != nil {

logger.Println(err)

return

}

defer server.Close()

streamCopy := func(dst io.Writer, src io.Reader, direction string, logger *log.Logger) {

n, _ := read2Write(dst, src)

logger.Printf("%s %d bytes copied", direction, n)

client.Close()

server.Close()

}

go streamCopy(client, server, "to client", logger)

streamCopy(server, client, "from client", logger)

}

func createTransparentSocket(client net.Conn, destination string) (net.Conn, error) {

var socketFD int

var file *os.File

var server net.Conn

var errorPrefix string

var clientIP *net.TCPAddr

var clientIPBytes [4]byte

var err error

var ok bool

// Create transparent socket

if socketFD, err = syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_TCP); err != nil {

errorPrefix = "syscall.socket()"

goto ReturnError

}

if err = syscall.SetsockoptInt(socketFD, syscall.SOL_IP, syscall.IP_TRANSPARENT, 1); err != nil {

errorPrefix = "syscall.SetsockoptInt()"

goto CloseSocket

}

if clientIP, ok = client.RemoteAddr().(*net.TCPAddr); ok == false {

err = fmt.Errorf("unsupport client type")

errorPrefix = "client.RemoteAddr().(*net.IPAddr)"

goto CloseSocket

}

copy(clientIPBytes[:], clientIP.IP.To4())

// Use client's IP address as socket local address

if err = syscall.Bind(socketFD, &syscall.SockaddrInet4{

Port: 0, // Port auto assignment

Addr: clientIPBytes,

}); err != nil {

errorPrefix = "syscall.Bind()"

goto CloseSocket

}

// Connect to server

if err = syscall.Connect(socketFD, &syscall.SockaddrInet4{

Port: destinationPort,

Addr: *destinationIP,

}); err != nil && err.Error() != "operation now in progress" {

errorPrefix = "syscall.Connect()"

goto CloseSocket

}

file = os.NewFile(uintptr(socketFD), destination)

server, err = net.FileConn(file)

if err == nil {

syscall.Close(socketFD) // net.FileConn() has already duplicated this file descriptor

return server, nil

}

errorPrefix = "net.FileConn()"

CloseSocket:

syscall.Close(socketFD)

ReturnError:

return nil, fmt.Errorf("%s: %s", errorPrefix, err)

}

func parseDestination() {

var err error

var host, port string

if host, port, err = net.SplitHostPort(os.Args[2]); err != nil {

println(err)

os.Exit(1)

}

ip := net.ParseIP(host).To4()

destinationIP = &[4]byte{ip[0], ip[1], ip[2], ip[3]}

destinationPort, err = strconv.Atoi(port)

if err != nil {

println(err)

os.Exit(1)

}

/**

from: https://github.com/xtaci/kcptun/blob/master/generic/copy.go

func read2Write(dst io.Writer, src io.Reader) (written int64, err error) {

// If the reader has a WriteTo method, use it to do the copy.

// Avoids an allocation and a copy.

if wt, ok := src.(io.WriterTo); ok {

return wt.WriteTo(dst)

}

// Similarly, if the writer has a ReadFrom method, use it to do the copy.

if rt, ok := dst.(io.ReaderFrom); ok {

return rt.ReadFrom(src)

}

// fallback to standard io.CopyBuffer

buf := make([]byte, bufferSize)

return io.CopyBuffer(dst, src, buf)

}

上面核心的部分是函数func createTransparentSocket(client net.Conn, destination string) (net.Conn, error)，简单来说，就是获取客户端的IP，然后通过bind()绑定为socket的本地IP，再向B发出构建连接的请求。

通过第一个运行参数指定本地监听的IP和端口，第二个运行参数指定被代理服务器的IP和端口：

root@A:~# ./go_ip_transparent_proxy 0.0.0.0:80 192.168.1.20:80
2021/02/10 02:08:53 waiting for incomming connection...

1 2	root@A:~# ./go_ip_transparent_proxy 0.0.0.0:80 192.168.1.20:80 2021/02/10 02:08:53 waiting for incomming connection...

从client向A发出请求：

B上查看Nginx的访问日志，可以看到记录的IP是client的：

A上的反向代理程序的输出：

这个程序只实现了IPv4 TCP的IP透明反向代理，UDP以及IPv6的实现也同理。

除了反向代理，其实正向代理也是可以通过IP_TRANSPARENT实现，配合iptables的TPROXY模块即可发挥作用，本文的目的只是反向代理，正向代理具体细节就不在本文介绍了。

CLion调试Linux Kernel

1. 编译Kernel

先按照https://www.kernel.org/doc/html/latest/dev-tools/gdb-kernel-debugging.html说明的config设定编译内核并且安装到guest上。

menuconfig中按“/”是可以搜索的，例如要找“CONFIG_GDB_SCRIPTS”，按“/”输入“GDB_SCRIPTS”。

qemu启用了virtio的话，记得选上VIRTIO_BLK和VIRTIO_NET。

2. QEMU

2.1 关闭KVM

关闭KVM，关闭KVM，关闭KVM，重要的事情说三次！不然step by step的时候，会无限跳到arch/x86/kernel/apic/apic.c的sysvec_apic_timer_interrupt。要关闭KVM，运行qemu时去掉–enalbe-kvm参数，用libvirt的话，domain的type值置qemu：

<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  ...
</domain>

...

</domain>

2.2 启用gdbserver

运行QEMU时加上参数-s，或者通过“-gdb tcp::端口号”参数手动指定端口，libvirt xml的设定如下：

<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  ...
  <qemu:commandline>
    <qemu:arg value='-s'/>
  </qemu:commandline>
  ...
</domain>

...

<qemu:commandline>

<qemu:arg value='-s'/>

</qemu:commandline>

...

</domain>

或者：

<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  ...
  <qemu:commandline>
    <qemu:arg value='-gdb'/>
    <qemu:arg value='tcp::1235'/>
  </qemu:commandline>
  ...
</domain>

...

<qemu:commandline>

<qemu:arg value='-gdb'/>

<qemu:arg value='tcp::1235'/>

</qemu:commandline>

...

</domain>

3. CLion

点击右上角的“Select Run/Debug Configuration”，添加个GDB Remote Debug：

‘targer remote’ args填入qemu监听的gdbserver IP和端口，Symbol file选编译出的vmlinux（在源码根目录下）。

5. 调试

断点的设定跟平常无异。

启动qemu，按Debug按钮开始调试：

Debug标签页，pause后可以调用gdb console，如果kernel在运行，点左侧的“| |”即可：

栈、变量以及源码通过IDE浏览会直观许多：

6. <optimized out>

提醒下：通过-O0参数是无法成功编译Kernel的。

gdb console通过disassemble可以反汇编当前函数：

优化后的汇编其实不太好跟实际写的C代码联系起来，如果实在不行，就printk吧……

千兆公网带宽的TCP sendbuffer与receivebuffer调整

不知道有多少人留意过，使用千兆公网带宽传输数据时，只要距离稍微远点，就无法跑满千兆。对于这种情况，可能第一反应是“线路繁忙，公网带宽不足，跑不满很正常”。不过如果你有在不同地区的多台千兆设备间传数据的经历的话，你大概会发现，最大传输速度跟延迟成负相关。

首先丢出个公式：

RTT * Bandwidth / 8 = BufferSize

1	RTT * Bandwidth / 8 = BufferSize

TCP有ARQ机制，已发出的数据要收到ACK后才能丢弃。因为至少要等一个RTT才能收到ACK，所以sendbuffer要至少能存放一个RTT内能发出的数据量。另外，TCP的拥塞控制也会根据接收方的receivebuffer大小限制数据的发出速率。因此，如果想达到100%的带宽利用率，双方的buffer size都得符合上述公式。

根据Linux kernel的document，TCP sendbuffer max size默认为4MB，所以RTT低于多少时才能保证千兆呢？

RTT * 1000 / 8 = 4MB

1	RTT * 1000 / 8 = 4MB

RTT = 32ms，只要超过32ms，你的千兆带宽就不能跑满。万兆网络的话，这个数还得除以十：3.2ms，基本上只能在局域网内跑满（我猜即使buffer够了，万兆在公网还真的跑不满……）。

这里再丢出两条公式：

# sendbuffer size
RTT * Bandwidth / 8 = SendBufferSize * 0.7

# receivebuffer size
if net.ipv4.tcp_adv_win_scale > 0
    RTT * (Bandwidth / 8) = ReceiveBufferSize - (ReceiveBufferSize  / 2^net.ipv4.tcp_adv_win_scale)
else
    RTT * (Bandwidth / 8) = ReceiveBufferSize / 2^(-net.ipv4.tcp_adv_win_scale))

# sendbuffer size

RTT * Bandwidth / 8 = SendBufferSize * 0.7

# receivebuffer size

if net.ipv4.tcp_adv_win_scale > 0

RTT * (Bandwidth / 8) = ReceiveBufferSize - (ReceiveBufferSize / 2^net.ipv4.tcp_adv_win_scale)

else

RTT * (Bandwidth / 8) = ReceiveBufferSize / 2^(-net.ipv4.tcp_adv_win_scale))

为什么会有另外两条公式？因为开头给出的只是理论值，实际上的buffer，并非仅用来储存payload，因此需要扣除非payload部分。

sendbuffer：

第一条计算sendbuffer的公式的系数0.7，是我测出来的，并不是准确值，为什么会是接近这个值，我还在寻找答案。

receivebuffer：

计算receivebuffer的可能有点复杂，对于tcp_adv_win_scale，kernel文档解释如下：

tcp_adv_win_scale – INTEGER
Count buffering overhead as bytes/2^tcp_adv_win_scale
(if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
if it is <= 0.

Possible values are [-31, 31], inclusive.

Default: 1

值的应用以及公式的出处，可以在这里找到：https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/net/tcp.h?h=v5.10.12#n1395

简单来讲，就是receivebuffer有一部分是作为buffering overhead的，其大小通过tcp_adv_win_scale进行控制。所以扣除这一部分才是实际用来存放payload的size。

buffer在内核中的设定：

TCP的sendbuffer与receivebuffer分别在net.ipv4.tcp_wmem和net.ipv4.tcp_rmem中设定：

# sysctl net.ipv4.tcp_wmem
net.ipv4.tcp_wmem = 4096	16384	4194304
# sysctl net.ipv4.tcp_rmem
net.ipv4.tcp_rmem = 4096	131072	6291456

# sysctl net.ipv4.tcp_wmem

net.ipv4.tcp_wmem = 4096 16384 4194304

# sysctl net.ipv4.tcp_rmem

net.ipv4.tcp_rmem = 4096 131072 6291456

三个值分别是min，default和max，kernel会在min和max自动调整，程序也可以通过setsockopt() API设定。

下面是对buffer的调整尝试：

A到B之间的RTT是146ms，A的sendbuffer max size是默认4MB，测试下B从A下载文件的速度：

root@B:~# ping -c A
PING A 56(84) bytes of data.
64 bytes from A: icmp_seq=1 ttl=55 time=146 ms
64 bytes from A: icmp_seq=2 ttl=55 time=146 ms
64 bytes from A: icmp_seq=3 ttl=55 time=146 ms

--- A ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 146.868/146.877/146.890/0.009 ms
root@B:~# curl -o /dev/null http://A/bigfile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  4 5051M    4  219M    0     0  16.4M      0  0:05:07  0:00:13  0:04:54 19.0M

root@B:~# ping -c A

PING A 56(84) bytes of data.

64 bytes from A: icmp_seq=1 ttl=55 time=146 ms

64 bytes from A: icmp_seq=2 ttl=55 time=146 ms

64 bytes from A: icmp_seq=3 ttl=55 time=146 ms

--- A ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2002ms

rtt min/avg/max/mdev = 146.868/146.877/146.890/0.009 ms

root@B:~# curl -o /dev/null http://A/bigfile

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

4 5051M 4 219M 0 0 16.4M 0 0:05:07 0:00:13 0:04:54 19.0M

调整A的sendbuffer：

root@A~:# sysctl net.ipv4.tcp_wmem
net.ipv4.tcp_wmem = 4096	16384	4194304
# 0.146s * 1000Mbps / 8 / 0.7 ≈ 26M，置max为26M：
sysctl -w net.ipv4.tcp_wmem="4096 16384 27262976"

root@A~:# sysctl net.ipv4.tcp_wmem

net.ipv4.tcp_wmem = 4096 16384 4194304

# 0.146s * 1000Mbps / 8 / 0.7 ≈ 26M，置max为26M：

sysctl -w net.ipv4.tcp_wmem="4096 16384 27262976"

再到B上测试下速度：

root@B:~# curl -o /dev/null http://A/bigfile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  4 5051M    4  247M    0     0  19.3M      0  0:04:20  0:00:12  0:04:08 21.2M

root@B:~# curl -o /dev/null http://A/bigfile

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

4 5051M 4 247M 0 0 19.3M 0 0:04:20 0:00:12 0:04:08 21.2M

快的确是快了，但只有21.2 MB/s，好像并不是预期的结果，如果你抓包看看A和B之间的数据包，你会发现，B的窗口大小上限是3 MB，见下图的Win：

所以这限制了未被ACK的数据量，A不能发送超出B接收能力的量，通过窗口大小和RTT可以反推出速度：3MB / 0.146s ≈ 20.5MB/s，接近curl的速度。

TCP窗口大小是receivebuffer的具体表现，查看一下B的receivebuffer：

root@B:~# sysctl net.ipv4.tcp_rmem
net.ipv4.tcp_rmem = 4096	131072	6291456
root@B:~# sysctl net.ipv4.tcp_adv_win_scale
net.ipv4.tcp_adv_win_scale = 1

root@B:~# sysctl net.ipv4.tcp_rmem

net.ipv4.tcp_rmem = 4096 131072 6291456

root@B:~# sysctl net.ipv4.tcp_adv_win_scale

net.ipv4.tcp_adv_win_scale = 1

如果把数值代入receivebuffer的公式，你可以算得receivebuffer的值是接近6MB，跟当前tcp_rmem的max size一致，所以B目前的行为是符合这两个数值的预期的。

下面调整下B的receivebuffer：

# 0.146s * 1000Mbps / 8 = receivebuffer - (receivebuffer / 2^1)
# 得receivebuffer = 36.5M
# 置receivebuffer max size 36M
root@B:~# sysctl -w net.ipv4.tcp_rmem="4096 131072 37748736"
net.ipv4.tcp_rmem = 4096 131072 37748736
root@B:~# curl -o /dev/null http://A/bigfile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 16 5051M   16  844M    0     0  92.1M      0  0:00:54  0:00:09  0:00:45  112M

# 0.146s * 1000Mbps / 8 = receivebuffer - (receivebuffer / 2^1)

# 得receivebuffer = 36.5M

# 置receivebuffer max size 36M

root@B:~# sysctl -w net.ipv4.tcp_rmem="4096 131072 37748736"

net.ipv4.tcp_rmem = 4096 131072 37748736

root@B:~# curl -o /dev/null http://A/bigfile

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

16 5051M 16 844M 0 0 92.1M 0 0:00:54 0:00:09 0:00:45 112M

这时抓包，可以看到B的窗口大小上限是18M：

0.146s * 112MB/s = 16.352，可以确定目前的瓶颈是物理带宽而不是buffer。

再找了个与A的RTT是68ms的C：

root@C:~# ping -c 3 A
PING A 56(84) bytes of data.
64 bytes from A: icmp_seq=1 ttl=55 time=68.5 ms
64 bytes from A: icmp_seq=2 ttl=55 time=67.9 ms
64 bytes from A: icmp_seq=3 ttl=55 time=68.2 ms

--- A ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 67.949/68.218/68.481/0.371 ms
root@C:~# curl -o /dev/null http://A/bigfile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 15 5051M   15  782M    0     0  40.5M      0  0:02:04  0:00:19  0:01:45 45.1M

root@C:~# ping -c 3 A

PING A 56(84) bytes of data.

64 bytes from A: icmp_seq=1 ttl=55 time=68.5 ms

64 bytes from A: icmp_seq=2 ttl=55 time=67.9 ms

64 bytes from A: icmp_seq=3 ttl=55 time=68.2 ms

--- A ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 5ms

rtt min/avg/max/mdev = 67.949/68.218/68.481/0.371 ms

root@C:~# curl -o /dev/null http://A/bigfile

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

15 5051M 15 782M 0 0 40.5M 0 0:02:04 0:00:19 0:01:45 45.1M

A的sendbuffer已经调整过了，足以应付68ms的RTT，但C的receivebuffer还没调整：

root@C:~# sysctl net.ipv4.tcp_rmem
net.ipv4.tcp_rmem = 4096	131072	6291456
root@C:~# sysctl net.ipv4.tcp_adv_win_scale
net.ipv4.tcp_adv_win_scale = 1
# 调整为当前的两倍，也就是12M，那么预期的速度，按照公式，应该可以翻倍
root@C:~# sysctl -w net.ipv4.tcp_rmem="4096 131072 12582912"
net.ipv4.tcp_rmem = 4096 131072 12582912
root@C:~# curl -o /dev/null http://A/bigfile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 49 5051M   49 2519M    0     0  88.2M      0  0:00:57  0:00:28  0:00:29 91.0M

root@C:~# sysctl net.ipv4.tcp_rmem

net.ipv4.tcp_rmem = 4096 131072 6291456

root@C:~# sysctl net.ipv4.tcp_adv_win_scale

net.ipv4.tcp_adv_win_scale = 1

# 调整为当前的两倍，也就是12M，那么预期的速度，按照公式，应该可以翻倍

root@C:~# sysctl -w net.ipv4.tcp_rmem="4096 131072 12582912"

net.ipv4.tcp_rmem = 4096 131072 12582912

root@C:~# curl -o /dev/null http://A/bigfile

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

49 5051M 49 2519M 0 0 88.2M 0 0:00:57 0:00:28 0:00:29 91.0M

新的速度接近原来的两倍，把数值代入公式：0.068s * rate = 12MB – (12MB / 2^1)，得rate = 88.2353MB/s，接近实际速率。

另外，这里再提一个参数“tcp_slow_start_after_idle”，kernel document的解释如下：

tcp_slow_start_after_idle – BOOLEAN
If set, provide RFC2861 behavior and time out the congestion
window after an idle period. An idle period is defined at
the current RTO. If unset, the congestion window will not
be timed out after an idle period.

Default: 1

这个功能默认是启用的，连接空闲一个RTO后，后面会从新进入慢启动状态，长连接要保证稳定性能的话，置0。