relayd shows ssh sessions as idle

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd shows ssh sessions as idle

Joel Carnat
Hi,

I have configured relayd(8) on my vmd(8) host so that I can connect to
the running VMs using SSH.

Using relayctl(8), I can see that those sessions have the same value for
age and idle ; even when something happens in the SSH sessions.

Is this expected or an error in my relayd.conf ?

Thanks.

####
# config snippet

protocol sshtcp {
  tcp { nodelay, socket buffer 65536 }
}
relay ssh_vm1 {
  listen on $public_ip port 8022
  protocol sshtcp
  transparent forward to $vm1 port 8022
  session timeout 28800
}
#
####

Reply | Threaded
Open this post in threaded view
|

Re: relayd shows ssh sessions as idle

Sebastian Benoit
Joel Carnat([hidden email]) on 2019.06.12 16:10:25 +0200:

> Hi,
>
> I have configured relayd(8) on my vmd(8) host so that I can connect to
> the running VMs using SSH.
>
> Using relayctl(8), I can see that those sessions have the same value for
> age and idle ; even when something happens in the SSH sessions.
>
> Is this expected or an error in my relayd.conf ?
>
> Thanks.
>
> ####
> # config snippet
>
> protocol sshtcp {
>   tcp { nodelay, socket buffer 65536 }

this uses the implicit "splice" option.

If you add "no splice" to the tcp options, the idle time will be reset.

The reason is this: After connection setup, relayd "splices" the socket
connecting to the ssh client to the socket connecting to the ssh server.
After that, the kernel takes care of transfering data between the client
connection and the forward connection. relayd does not see the traffic
anymore.

It will only touch the connection again, when a maximum number of bytes are
transfered, or a timeout triggers.

For tcp connections, the max number of bytes is unlimited, and the timeout
is set toyour session timeout.

(For http connections, the max number of bytes is smaller, because relayd
wants to look at the headers of the next http request).

So relayd cannot know if the connection has been idle. It will only know
when it reaches "session timeout". If you dont like this, use "no splice".
However, that makes the connection slower and consume more cpu.

/Benno

> }
> relay ssh_vm1 {
>   listen on $public_ip port 8022
>   protocol sshtcp
>   transparent forward to $vm1 port 8022
>   session timeout 28800
> }
> #
> ####
>

--

Reply | Threaded
Open this post in threaded view
|

Re: relayd shows ssh sessions as idle

Joel Carnat
On Mon, Jun 17, 2019 at 11:56:08PM +0200, Sebastian Benoit wrote:

> Joel Carnat([hidden email]) on 2019.06.12 16:10:25 +0200:
> > Hi,
> >
> > I have configured relayd(8) on my vmd(8) host so that I can connect to
> > the running VMs using SSH.
> >
> > Using relayctl(8), I can see that those sessions have the same value for
> > age and idle ; even when something happens in the SSH sessions.
> >
> > Is this expected or an error in my relayd.conf ?
> >
> > Thanks.
> >
> > ####
> > # config snippet
> >
> > protocol sshtcp {
> >   tcp { nodelay, socket buffer 65536 }
>
> this uses the implicit "splice" option.
>
> If you add "no splice" to the tcp options, the idle time will be reset.
>
> The reason is this: After connection setup, relayd "splices" the socket
> connecting to the ssh client to the socket connecting to the ssh server.
> After that, the kernel takes care of transfering data between the client
> connection and the forward connection. relayd does not see the traffic
> anymore.
>
> It will only touch the connection again, when a maximum number of bytes are
> transfered, or a timeout triggers.
>
> For tcp connections, the max number of bytes is unlimited, and the timeout
> is set toyour session timeout.
>
> (For http connections, the max number of bytes is smaller, because relayd
> wants to look at the headers of the next http request).
>
> So relayd cannot know if the connection has been idle. It will only know
> when it reaches "session timeout". If you dont like this, use "no splice".
> However, that makes the connection slower and consume more cpu.
>
> /Benno
>

Thanks a lot for this detailled explanation.

I'll check cpu consumption and connection speed to see if I'd rather
stick with a long timeout configuration.

Regards,
Jo