由Docker转发的重复的SYN包？

我正在经历一个CISCO防火墙和连接到它的Docker主机之间的奇怪交互：CISCO定期将我的主机标记为SYN攻击者，并closures我的以太网端口。

我一直在运行tcpdump主机过滤SYN数据包，这是我已经遇到的模式的一个例子：

20:45:53.863232 In 00:0c:29:67:9f:5b ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.16.23.102.3314: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0 20:45:53.863268 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.17.0.8.3306: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0 20:45:53.863272 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.17.0.8.3306: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0 20:45:53.863306 P 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.34272: Flags [S.], seq 1254244044, ack 2717143177, win 28960, options [mss 1460,sackOK,TS val 679018433 ecr 670292160,nop,wscale 7], length 0 20:45:53.863306 In 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.34272: Flags [S.], seq 1254244044, ack 2717143177, win 28960, options [mss 1460,sackOK,TS val 679018433 ecr 670292160,nop,wscale 7], length 0

logging：这是一个孤立的块，之前的数据包是从前两个多小时，而之后的数据包是超过10个小时之后。

Docker主机是172.16.23.102，另一台服务器（我们称之为foo）是IP 172.16.23.92。运行mysql的容器在docker专用networking的IP 172.17.0.8上，我们称之为mysql。

现在，如果我正确地解释这个转储：

Foo开始连接到docker：3314，这是一个docker暴露的端口
Docker将数据包转发到桥接端口上的mysql（非常相同的数据包：相同的seq，标志等）。
无论如何，Docker 再次转发数据包
Mysql用适当的SYN-ACK回复两次

现在，今天早上，同一个tcpdump命令logging的第一个通信就是这个怪物：

 09:13:45.034399 In 00:0c:29:67:9f:5b ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.16.23.102.3314: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034447 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034452 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034455 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034457 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034459 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034461 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034463 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034464 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034466 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034468 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034470 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034472 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034475 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034476 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034478 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034480 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034482 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034484 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034487 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034489 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034491 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034492 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0 09:13:45.034525 P 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0 09:13:45.034525 In 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0 09:13:45.034540 Out ec:79:01:bd:22:49 ethertype IPv4 (0x0800), length 76: 172.16.23.102.3314 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0

这次数据包被转发了很多次，mysql容器只回复两次，这次SYN-ACK也退出eth0接口。在之前的转储中没有发生，我猜想在这种情况下连接失败。

为什么docker多次转发数据包？我该如何解决？

添加一些更有用的信息的问题。

Docker主机有用的ARPcaching行：

 172.16.23.92 ether 00:0c:29:67:9f:5b C eth0 172.17.0.8 ether 02:42:ac:11:00:08 C docker0

docker桥接接口的ifconfig：

 docker0 Link encap:Ethernet HWaddr 02:42:ed:33:9c:27 inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 eth0 Link encap:Ethernet HWaddr ec:79:01:bd:22:49 inet addr:172.16.23.102 Bcast:172.16.23.255 Mask:255.255.248.0