* bad tcp checksum
@ 2006-04-05 15:51 Jan den Ouden (ml)
2006-04-05 16:20 ` Tom Eastep
0 siblings, 1 reply; 3+ messages in thread
From: Jan den Ouden (ml) @ 2006-04-05 15:51 UTC (permalink / raw)
To: netfilter@lists.netfilter.org
Hi,
I'm seeing a strange problem with kernel 2.6.12 Xen domain0 with all
netfilter options compiled in. I'm trying to do port forwarding to an
internal machine from an internet gateway box.
What works ok is forwarding from gateway:143 to internalmachine:143.
But when I forward from gateway:1000 to internalmachine:143 I get bad
TCP checksums on the return packets. These packets are ignored on the
client machine on the external internet.
Iptables rules:
*nat
-A PREROUTING -d 213.84.168.6 -i ppp0 -p tcp -m tcp --dport 143 -j DNAT
--to-destination 192.168.50.3:143
-A PREROUTING -d 213.84.168.6 -i ppp0 -p tcp -m tcp --dport 1001 -j DNAT
--to-destination 192.168.50.3:143
-A POSTROUTING -s 192.168.50.0/255.255.255.0 -o ppp0 -j SNAT --to
213.84.168.6
Example trace from client machine:
root@host2:/home/jan# tcpdump -vvv -r trace
reading from file trace, link-type EN10MB (Ethernet)
12:08:37.271198 IP (tos 0x10, ttl 64, id 48778, offset 0, flags [DF],
proto: TCP (6), length: 60) host2.denouden.info.32784 > vdmheen.nl.1001:
S, cksum 0xc616 (correct), 3872473067:3872473067(0) win 5840 <mss
1460,sackOK,timestamp 229729 0,nop,wscale 0>
12:08:37.304060 IP (tos 0x40, ttl 54, id 0, offset 0, flags [DF],
proto: TCP (6), length: 60) vdmheen.nl.1001 > host2.denouden.info.32784:
S, cksum 0xff8a (correct), 2453556454:2453556454(0) ack 3872473068 win
5792 <mss 1460,sackOK,timestamp 5433137 229729,nop,wscale 2>
12:08:37.304101 IP (tos 0x10, ttl 64, id 48779, offset 0, flags [DF],
proto: TCP (6), length: 52) host2.denouden.info.32784 > vdmheen.nl.1001:
., cksum 0x2e1e (correct), 1:1(0) ack 1 win 5840 <nop,nop,timestamp
229733 5433137>
12:08:37.349163 IP (tos 0x40, ttl 54, id 43987, offset 0, flags [DF],
proto: TCP (6), length: 209) vdmheen.nl.1001 >
host2.denouden.info.32784: P, cksum 0xc246 (incorrect (-> 0xbeec),
1:158(157) ack 1 win 1448 <nop,nop,timestamp 5433141 229733>
12:08:37.574322 IP (tos 0x40, ttl 54, id 43989, offset 0, flags [DF],
proto: TCP (6), length: 209) vdmheen.nl.1001 >
host2.denouden.info.32784: P, cksum 0xc22f (incorrect (-> 0xbed5),
1:158(157) ack 1 win 1448 <nop,nop,timestamp 5433164 229733>
12:08:38.034079 IP (tos 0x40, ttl 54, id 43991, offset 0, flags [DF],
proto: TCP (6), length: 209) vdmheen.nl.1001 >
host2.denouden.info.32784: P, cksum 0xc201 (incorrect (-> 0xbea7),
1:158(157) ack 1 win 1448 <nop,nop,timestamp 5433210 229733>
12:08:38.953738 IP (tos 0x40, ttl 54, id 43993, offset 0, flags [DF],
proto: TCP (6), length: 209) vdmheen.nl.1001 >
host2.denouden.info.32784: P, cksum 0xc1a5 (incorrect (-> 0xbe4b),
1:158(157) ack 1 win 1448 <nop,nop,timestamp 5433302 229733>
12:08:40.794190 IP (tos 0x40, ttl 54, id 43995, offset 0, flags [DF],
proto: TCP (6), length: 209) vdmheen.nl.1001 >
host2.denouden.info.32784: P, cksum 0xc0ed (incorrect (-> 0xbd93),
1:158(157) ack 1 win 1448 <nop,nop,timestamp 5433486 229733>
Does anybody have any idea what's wrong here? I've tried to search on
Google for an answer, but I couldn't find any people with similar problems.
Thanks,
Jan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: bad tcp checksum
2006-04-05 15:51 bad tcp checksum Jan den Ouden (ml)
@ 2006-04-05 16:20 ` Tom Eastep
2006-04-05 17:18 ` Jan den Ouden
0 siblings, 1 reply; 3+ messages in thread
From: Tom Eastep @ 2006-04-05 16:20 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 868 bytes --]
On Wednesday 05 April 2006 08:51, Jan den Ouden (ml) wrote:
> Hi,
>
> I'm seeing a strange problem with kernel 2.6.12 Xen domain0 with all
> netfilter options compiled in. I'm trying to do port forwarding to an
> internal machine from an internet gateway box.
>
> What works ok is forwarding from gateway:143 to internalmachine:143.
>
> But when I forward from gateway:1000 to internalmachine:143 I get bad
> TCP checksums on the return packets. These packets are ignored on the
> client machine on the external internet.
>
I suggest that you search the Xen-users list archives -- this issue has been
discussed ad nauseum.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: bad tcp checksum
2006-04-05 16:20 ` Tom Eastep
@ 2006-04-05 17:18 ` Jan den Ouden
0 siblings, 0 replies; 3+ messages in thread
From: Jan den Ouden @ 2006-04-05 17:18 UTC (permalink / raw)
To: Tom Eastep; +Cc: netfilter
Yes, you're right, the solution is the use ethtool in the domU domain to
disable checksum offloading. I didn't expect it was related to Xen, so
that's why I asked here.
Thanks for the pointer.
Jan
Tom Eastep wrote:
> On Wednesday 05 April 2006 08:51, Jan den Ouden (ml) wrote:
>
>> Hi,
>>
>> I'm seeing a strange problem with kernel 2.6.12 Xen domain0 with all
>> netfilter options compiled in. I'm trying to do port forwarding to an
>> internal machine from an internet gateway box.
>>
>> What works ok is forwarding from gateway:143 to internalmachine:143.
>>
>> But when I forward from gateway:1000 to internalmachine:143 I get bad
>> TCP checksums on the return packets. These packets are ignored on the
>> client machine on the external internet.
>>
>>
>
> I suggest that you search the Xen-users list archives -- this issue has been
> discussed ad nauseum.
>
> -Tom
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-04-05 17:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-05 15:51 bad tcp checksum Jan den Ouden (ml)
2006-04-05 16:20 ` Tom Eastep
2006-04-05 17:18 ` Jan den Ouden
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.