On Tue, Mar 18, 2025 at 09:28:23AM +0100, Stefano Brivio wrote:On Tue, 18 Mar 2025 16:21:58 +1100 David Gibson <david(a)gibson.dropbear.id.au> wrote:Right. I hadn't dug up that section, but I was kind of assuming that was the case.Continued investigating the problem with migration failing across a bridge. Good news is I've found the problem... or at least one problem.\o/Bad news is we'll have to change the migration stream format to fix it.Whoops, sorry, my bad. And now, RFC 7323, section 3.2, contrary to RFC 1323 (also section 3.2), requires that we keep sending timestamps if we negotiated them: Once TSopt has been successfully negotiated, that is both <SYN> and <SYN,ACK> contain TSopt, the TSopt MUST be sent in every non-<RST> segment for the duration of the connection ...so we can't just disable them for migrated flows.Strictly speaking, I don't think it's necessary to define a new version of the format, because I'm really really sure nobody is using this yet, other than for tests.If you want to use this as a chance to play with/test a version bump, we can do it. My preference would be to keep this as v1 anyway for the moment, regardless of the *non*-breakage, for simplicity. That is, whoops, migration is broken on 2025_02_17.a1e48a0.Right. I did decide to bump the version, my reasoning is explained in the commit message, but I didn't attempt to maintain backwards compatibility with v1 for this reason.Yeah. It's not in tcp(7), unfortunately.The packets are being dropped in tcp_validate_incoming() due to a failed PAWS check (skb drop reason "TCP_RFC7323_PAWS"). That in turn looks to be because we don't preserve TCP timestamp state across the migration. We preserve _whether_ TCP timestamps are active on the connection (TCPOPT_TIMESTAMP entry in TCP_REPAIR_OPTIONS), but we don't preserve the current timestamp values (TCP_TIMESTAMP socket option). The equivalent CRIU code is https://github.com/checkpoint-restore/criu/blob/d18912fc88f3dc7bde5fdfa3575… and https://github.com/checkpoint-restore/criu/blob/d18912fc88f3dc7bde5fdfa3575… I'll work on writing a fix tomorrow. Not yet sure why we didn't hit this with a local migration. I'm guessing some part of being a local connection means we're bypassing the PAWS check.The TCP_TIMESTAMP option is documented... not where it should be documented, grr:https://criu.org/index.php?title=TCP_connection#Timestamp and I _guess_ that two guests using kvm-clock as clock source might actually have the same jiffies, and from this description, same jiffies, same timestamps.Perhaps in your nested case not all guests are using kvm-clock, or there's something else to it.So... the L2 clock is irrelevant as this problem is on the socket side. In my test I'm using namespaces, not VMs for the L1 so they'd be even more likely to have the same jiffies, but it still breaks. That makes sense, because with net.ipv4.tcp_timestamps=1 (which is the default on both my Fedora and Debian system) there's supposed to be a random offset for every connection (that *is* documented in tcp(7)). What I don't understand is why it _doesn't_ fail when going fully local to local. I wondered if it might be that timestamps were disabled by default for local connections, but that doesn't appear to be the case. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson