Iperf3 UDP Reliability Issues with Iptables Drop Random

iperfiptableslinux-networkingnetworkingperformance-monitoring

I'm performing some local test on my network with iperf3 using UDP connections between 2 Ubuntu 18.04 hosts. But it seems that the UDP iperf3 connections it is not robust to support a random packet drop of 0.1?
When executing the iperf3 tests, the server hangs (i need to restart the server to allow connecting again) and I'm seeing this errors:

At the server:

iperf3: the client has unexpectedly closed the connection

At the client:

error – unable to write to stream socket: Operation not permitted

To simulate/test a bad hop on my network I'm using iptables to generate random packet drops with this command (executed at the host A):

sudo iptables -A OUTPUT -p udp -d HOSTB -m statistic --mode random --probability 0.01 -j DROP

And the iperf3 executed at the host A:

iperf3 --version4 --udp --client 10.0.3.10 --port 4000 --bind 10.0.1.10 --cport 12346 --json --zerocopy --verbose --bandwidth 300M --debug

At the host B i'm using:

iperf3 --verbose --server --port 4000 --version4 --debug

As far as documentation goes, iperf3 can work with very bad networks, what can be happening here?

Best Answer

By the helpful comments from @Appleoddity I found where I now think the error was. Dropping the packets at the output can trigger errors at the application level, instead of only simulating a noisy channel.

By running the iptables drop against the input at the host B the problem is gone:

sudo iptables -A INPUT -p udp -s 10.0.1.10 -m statistic --mode random --probability 0.1 -j DROP

For the NFS service

Assuming you're right about having modified the NFS service to listen on 4000-4004, clients should add

iptables -A INPUT  -d se.rv.er.ip -p udp --dport 4000:4004 -j ACCEPT
iptables -A OUTPUT -s se.rv.er.ip -p udp --sport 4000:4004 -j ACCEPT

while the server should add

iptables -A INPUT  -p udp --dport 4000:4004 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4000:4004 -j ACCEPT

If you want to permit NFS over TCP, repeat those rules with -p tcp instead of -p udp.

For the portmapper

Clients should add

iptables -A INPUT  -d se.rv.er.ip -p udp --dport 111 -j ACCEPT
iptables -A OUTPUT -s se.rv.er.ip -p udp --sport 111 -j ACCEPT

while the server should add

iptables -A INPUT  -p udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp --sport 111 -j ACCEPT

You may need to add pairs of rules for -p tcp as well, as the portmapper usually supports TCP as well. Check your rejection logs to see what's being DROPped and adjust accordingly.

For the mount daemon

You need to find out what port it's running on on the server, with server% rpcinfo -p | grep mount; on my server it's UDP/32775 and TCP/32769. To allow those, clients should add

iptables -A INPUT  -d se.rv.er.ip -p udp --dport 32775 -j ACCEPT
iptables -A OUTPUT -s se.rv.er.ip -p udp --sport 32775 -j ACCEPT

while the server should add

iptables -A INPUT  -p udp --dport 32775 -j ACCEPT
iptables -A OUTPUT -p udp --sport 32775 -j ACCEPT

and two similar pairs with -p tcp --[ds]port 32769.

It is your responsibility to get those lines in the right place in your INPUT and OUTPUT chains; near the beginning is probably a good idea.

Edit: in the light of your answer below, I have updated the rules above.

Best Answer

Related Solutions

Linux – iptables drop not working with udp flood, causing high ping

Ubuntu – NFS support in iptables (or other firewall)

For the NFS service

For the portmapper

For the mount daemon

Related Topic