Re: [Shorewall-users] Slow DNAT/SNAT

Tom Eastep Sat, 31 Jan 2015 09:08:41 -0800

On 1/29/2015 12:18 PM, Robin Helgelin wrote:
> 
>> I guess it's time to look at a test imap session with tcpdump. Please
>> use the '-e' option, so we can see the link-layer header.
> 
> Something like this? This is me logging in and logging out over the standard 
> port using tls.
> 
> Using tcpdump -e -v on the nat:ed server.


Here's my interpretation:

TME -- homeip port 51137 sends a SYN at 21:30:31:884557

21:30:31.884557 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  55, id
37816, offset 0, flags [DF], proto: TCP (6), length: 52) homeip.51137 >
serverip.imap: S, cksum 0x01cb (correct), 4088991924:4088991924(0) win
65535 <mss 1460,wscale 6,sackOK,eol>

TME -- server responds with a SYN,ACK

21:30:31.884666 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: TCP (6), length: 52) serverip.imap >
homeip.51137: S, cksum 0x35fd (correct), 341484173:341484173(0) ack
4088991925 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>

TME -- client apparently doesn't see the response and sends another SYN

21:30:32.398737 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  55, id
37736, offset 0, flags [DF], proto: TCP (6), length: 52) homeip.51137 >
serverip.imap: S, cksum 0x01cb (correct), 4088991924:4088991924(0) win
65535 <mss 1460,wscale 6,sackOK,eol>

TME -- servers sends another SYN,ACK

21:30:32.398783 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: TCP (6), length: 52) serverip.imap >
homeip.51137: S, cksum 0x35fd (correct), 341484173:341484173(0) ack
4088991925 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>

TME -- again the client fails to see the response and resends a SYN

21:30:32.632891 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  55, id
58371, offset 0, flags [DF], proto: TCP (6), length: 52) homeip.51137 >
serverip.imap: S, cksum 0x01cb (correct), 4088991924:4088991924(0) win
65535 <mss 1460,wscale 6,sackOK,eol>

TME -- server sends another SYN,ACK

21:30:32.632939 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: TCP (6), length: 52) serverip.imap >
homeip.51137: S, cksum 0x35fd (correct), 341484173:341484173(0) ack
4088991925 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>

TME -- pattern continues

21:30:32.820934 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  55, id
12531, offset 0, flags [DF], proto: TCP (6), length: 52) homeip.51137 >
serverip.imap: S, cksum 0x01cb (correct), 4088991924:4088991924(0) win
65535 <mss 1460,wscale 6,sackOK,eol>

21:30:32.820982 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: TCP (6), length: 52) serverip.imap >
homeip.51137: S, cksum 0x35fd (correct), 341484173:341484173(0) ack
4088991925 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>

TME -- finally, the client has seen the response and sends an ACK

21:30:32.829491 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
33731, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6d9e (correct), ack 1 win 8192

TME -- homeip sends request

21:30:32.829545 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
15499, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6d8a (correct), ack 1 win 8212

TME -- And another

21:30:32.829558 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
46493, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6d8a (correct), ack 1 win 8212

TME -- Home ACKs

21:30:32.856991 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
5728, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6d8a (correct), ack 1 win 8212

TME -- Server sends 115-byte payload

21:30:32.867262 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 169: (tos 0x0, ttl  64, id
55467, offset 0, flags [DF], proto: TCP (6), length: 155) serverip.imap
> homeip.51137: P 1:116(115) ack 1 win 92

TME -- homeip ACKs the 115-byte payload and sends 15-byte reply

21:30:32.893008 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl  55, id
14399, offset 0, flags [DF], proto: TCP (6), length: 54) homeip.51137 >
serverip.imap: P, cksum 0xbb6c (correct), 1:15(14) ack 116 win 8208

TME -- Server ACKs 15-byte reply

21:30:32.893060 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id
55468, offset 0, flags [DF], proto: TCP (6), length: 40) serverip.imap >
homeip.51137: ., cksum 0x8cc1 (correct), ack 15 win 92

TME -- homeip ACKs

21:30:32.893009 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
54436, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6d1b (correct), ack 116 win 8208

TME -- Server ACKs

21:30:32.893101 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id
55469, offset 0, flags [DF], proto: TCP (6), length: 40) serverip.imap >
homeip.51137: ., cksum 0x8cc1 (correct), ack 15 win 92

TME -- Server sends 115-byte payload

21:30:32.893596 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 221: (tos 0x0, ttl  64, id
55470, offset 0, flags [DF], proto: TCP (6), length: 207) serverip.imap
> homeip.51137: P 116:283(167) ack 15 win 92

TME -- hopeip ACKs 115-byte payload and sends 15-byte payload

21:30:32.925149 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  55, id
7414, offset 0, flags [DF], proto: TCP (6), length: 52) homeip.51137 >
serverip.imap: P, cksum 0xfbde (correct), 15:27(12) ack 283 win 8203

TME -- server ACKs 15-byte payload

21:30:32.925150 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
35908, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6c6b (correct), ack 283 win 8203

TME -- server sends packet with 33-byte payload with apparent bad checksum

21:30:32.925501 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 87: (tos 0x0, ttl  64, id
55471, offset 0, flags [DF], proto: TCP (6), length: 73) serverip.imap >
homeip.51137: P, cksum 0x9ec9 (incorrect (-> 0xa844), 283:316(33) ack 27
win 92

TME -- Checksum must have been okay because homeip ACKed 33 bytes

21:30:32.981547 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
16389, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6c3f (correct), ack 316 win 8202

TME -- Home sends a packet with a 308-byte payload

21:30:32.982027 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 362: (tos 0x0, ttl  55, id
8216, offset 0, flags [DF], proto: TCP (6), length: 348) homeip.51137 >
serverip.imap: P 27:335(308) ack 316 win 8202

TME -- server acks 308 bytes

21:30:33.021462 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id
55472, offset 0, flags [DF], proto: TCP (6), length: 40) serverip.imap >
homeip.51137: ., cksum 0x8aa9 (correct), ack 335 win 108

TME -- server sends 1460-byte payload

21:30:33.076123 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl  64, id
55473, offset 0, flags [DF], proto: TCP (6), length: 1500) serverip.imap
> homeip.51137: . 316:1776(1460) ack 335 win 108

TME -- server sends 993-byte payload

21:30:33.076138 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 1047: (tos 0x0, ttl  64, id
55474, offset 0, flags [DF], proto: TCP (6), length: 1033) serverip.imap
> homeip.51137: P 1776:2769(993) ack 335 win 108

TME -- home ACKs 2453 bytes = 1460+993

21:30:33.095451 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
43375, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x61c2 (correct), ack 2769 win 8126

TME -- home sends 198-byte payload

21:30:33.100886 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 252: (tos 0x0, ttl  55, id
46057, offset 0, flags [DF], proto: TCP (6), length: 238) homeip.51137 >
serverip.imap: P 335:533(198) ack 2769 win 8192

TME -- Server ACKs 198 bytes (533 - 335)

21:30:33.100902 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id
55475, offset 0, flags [DF], proto: TCP (6), length: 40) serverip.imap >
homeip.51137: ., cksum 0x803d (correct), ack 533 win 125

TME -- Server sends 59-byte payload

21:30:33.106633 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 113: (tos 0x0, ttl  64, id
55476, offset 0, flags [DF], proto: TCP (6), length: 99) serverip.imap >
homeip.51137: P 2769:2828(59) ack 533 win 125

TME -- home ACKs 2828-2769 = 59 bytes

21:30:33.159497 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
58164, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x6081 (correct), ack 2828 win 8190

TME -- home sends 106-byte payload

21:30:40.612691 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 160: (tos 0x0, ttl  55, id
51514, offset 0, flags [DF], proto: TCP (6), length: 146) homeip.51137 >
serverip.imap: P 533:639(106) ack 2828 win 8192

TME -- Server sends 426-byte payload while ACKing 639 - 533 = 106 bytes

21:30:40.646260 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 480: (tos 0x0, ttl  64, id
55477, offset 0, flags [DF], proto: TCP (6), length: 466) serverip.imap
> homeip.51137: P 2828:3254(426) ack 639 win 125

TME -- Home ACKs 3254 - 2828 = 426 bytes.

21:30:40.660492 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
23202, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x5e79 (correct), ack 3254 win 8178

TME -- Home sends a 74-byte payload

21:30:43.117689 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 128: (tos 0x0, ttl  55, id
6012, offset 0, flags [DF], proto: TCP (6), length: 114) homeip.51137 >
serverip.imap: P 639:713(74) ack 3254 win 8192

TME -- Server ACKs ( 713 - 639 ) = 74 bytes and includes 143-byte payload

21:30:43.119467 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 197: (tos 0x0, ttl  64, id
55478, offset 0, flags [DF], proto: TCP (6), length: 183)
serverip.imap > homeip.51137: FP 3254:3397(143) ack 713 win 125

TME -- Home ACKs 3398 - 3254 = 74

21:30:43.132731 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
55544, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: ., cksum 0x5d96 (correct), ack 3398 win 8187

TME -- Home ACKs

21:30:43.132780 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl  55, id
47491, offset 0, flags [DF], proto: TCP (6), length: 40) homeip.51137 >
serverip.imap: F, cksum 0x5d6b (correct), 750:750(0) ack 3398 win 8192

TME -- Server ACKs

21:30:43.132886 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: TCP (6), length: 40) serverip.imap >
homeip.51137: R, cksum 0x84d4 (correct), 341487571:341487571(0) win 0

TME -- Server RSTs

21:30:43.132860 00:0c:29:f9:a5:2a (oui Unknown) > 00:0c:29:89:8b:50 (oui
Unknown), ethertype IPv4 (0x0800), length 91: (tos 0x0, ttl  55, id 284,
offset 0, flags [DF], proto: TCP (6), length: 77) homeip.51137 >
serverip.imap: P, cksum 0x2144 (correct), 713:750(37) ack 3398 win 8192

TME -- Home RSTs

21:30:43.132937 00:0c:29:89:8b:50 (oui Unknown) > 00:0c:29:f9:a5:2a (oui
Unknown), ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: TCP (6), length: 40) serverip.imap >
homeip.51137: R, cksum 0x84d4 (correct), 341487571:341487571(0) win 0

So the only thing questionable seems to be the lost SYN,ACKs during
connection establishment.

As the next experiment, please capture the session on both the IMAP
server and on the firewall's external interface. That way, we can
compare what the two boxes are seeing. After the test, please also
capture the output of 'shorewall show connections'.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Slow DNAT/SNAT

Reply via email to