OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[suse-security] SuSEfirewall causes network delay after kernel upgrade on 9.1

From: Ashley Gould (agoulducop.edu)
Date: Wed Sep 14 2005 - 19:53:26 CDT

SuSE Prof. 9.1
2.6.5-7.201-smp
SuSEfirewall2-3.1-310.3

After updating to the latest kernel rpm on our webserver, we experience
consistant delay in access times to all web pages of about .2 seconds.
Running tcpdump on page access shows a pause just before server
pushes first full data packet after acknowlaging get request from client.

After many days of hair pulling, flapping about of managers and
pestering of network people, I traced this down to the SuSEfirewall,
specifically a mangle rule in the postrouting table:

-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08

After extracting this rule with iptables-save/restore, the delay is gone.

iptables-save -c >/tmp/fw_rules.before
cp /tmp/fw_rules.before /tmp/fw_rules.after
vi /tmp/fw_rules.after
iptables-restore < /tmp/fw_rules.after

Boring example section:

before:

isis:/tmp # time wget http://web4.ucop.edu/welcome.html 2>/dev/null
real 0m0.214s
user 0m0.004s
sys 0m0.002s

17:37:49.368030 IP isis.ucop.edu.56928 > web4.ucop.edu.http: S 976613069:976613069(0) win 5840 <mss 1460,sackOK,timestamp 1061325334 0,nop,wscale 0>
17:37:49.369175 IP web4.ucop.edu.http > isis.ucop.edu.56928: S 3542901817:3542901817(0) ack 976613070 win 5792 <mss 1460,sackOK,timestamp 1058046393 1061325334,nop,wscale 0>
17:37:49.369256 IP isis.ucop.edu.56928 > web4.ucop.edu.http: . ack 1 win 5840 <nop,nop,timestamp 1061325335 1058046393>
17:37:49.369971 IP isis.ucop.edu.56928 > web4.ucop.edu.http: P 1:119(118) ack 1 win 5840 <nop,nop,timestamp 1061325336 1058046393>
17:37:49.370298 IP web4.ucop.edu.http > isis.ucop.edu.56928: . ack 119 win 5792 <nop,nop,timestamp 1058046394 1061325336>
17:37:49.572037 IP web4.ucop.edu.http > isis.ucop.edu.56928: P 1:1449(1448) ack 119 win 5792 <nop,nop,timestamp 1058046595 1061325336>
17:37:49.572056 IP isis.ucop.edu.56928 > web4.ucop.edu.http: . ack 1449 win 8688 <nop,nop,timestamp 1061325538 1058046595>
17:37:49.572713 IP web4.ucop.edu.http > isis.ucop.edu.56928: P 1449:2897(1448) ack 119 win 5792 <nop,nop,timestamp 1058046596 1061325538>

after:

isis:/tmp # time wget http://web4.ucop.edu/welcome.html 2>/dev/null
real 0m0.014s
user 0m0.002s
sys 0m0.003s

17:41:07.739979 IP isis.ucop.edu.56929 > web4.ucop.edu.http: S 1175547782:1175547782(0) win 5840 <mss 1460,sackOK,timestamp 1061523741 0,nop,wscale 0>
17:41:07.740787 IP web4.ucop.edu.http > isis.ucop.edu.56929: S 3744031582:3744031582(0) ack 1175547783 win 5792 <mss 1460,sackOK,timestamp 1058244790 1061523741,nop,wscale 0>
17:41:07.740814 IP isis.ucop.edu.56929 > web4.ucop.edu.http: . ack 1 win 5840 <nop,nop,timestamp 1061523742 1058244790>
17:41:07.741554 IP isis.ucop.edu.56929 > web4.ucop.edu.http: P 1:119(118) ack 1 win 5840 <nop,nop,timestamp 1061523742 1058244790>
17:41:07.741981 IP web4.ucop.edu.http > isis.ucop.edu.56929: . ack 119 win 5792 <nop,nop,timestamp 1058244792 1061523742>
17:41:07.742705 IP web4.ucop.edu.http > isis.ucop.edu.56929: . 1:1449(1448) ack 119 win 5792 <nop,nop,timestamp 1058244792 1061523742>
17:41:07.742729 IP isis.ucop.edu.56929 > web4.ucop.edu.http: . ack 1449 win 8688 <nop,nop,timestamp 1061523743 1058244792>
17:41:07.742823 IP web4.ucop.edu.http > isis.ucop.edu.56929: . 1449:2897(1448) ack 119 win 5792 <nop,nop,timestamp 1058244792 1061523742>

--

-ashley

Did you try poking at it with a stick?

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here