This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] xen, fc4, bridging, iptables and conntrack problem

To: "Paul Jakma" <paul@xxxxxxxxx>, "Jon Howse" <jonny.fahrenheit451@xxxxxxxxxx>
Subject: Re: [Xen-users] xen, fc4, bridging, iptables and conntrack problem
From: "Michael Paesold" <mpaesold@xxxxxx>
Date: Mon, 27 Jun 2005 17:07:54 +0200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 27 Jun 2005 15:07:00 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1119705233.5053.14.camel@xxxxxxxxxxxxxxxxxxx> <Pine.LNX.4.63.0506271412290.31084@xxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Paul Jakma wrote:

On Sat, 25 Jun 2005, Jon Howse wrote:

Hi Paul,

I have Fedora Core 4 and I am having exactly the same problem as you.

Aha, so it's not just me. Time to raise a bug with fedora.

I can confirm the problem here.

machine and i can't then log in via ssh. It seems that the conntrack system is failing to match already accepted connections.

See above. For me, all dom0 initiated connections fail to appear in conntrack state (but strangely the remote replies still get seen by tcpdump on xen-br0). domU's work fine though, as FORWARD is unrestricted.

The initial packet seems to get accepted by the INPUT rule, then the reply packet slips past the ESTABLISHED,RELATED rule and gets logged then dropped by the default policy.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161792 and please add your comments to it.

The snapshot for -unstable used for the latest FC4 package is quite old: * Tue Apr 26 2005 Rik van Riel <...> 2-20050424
- upgrade to last night's snapshot

So perhaps this is already fixed in xen-unstable. Or it was just an artefact of code changes, similar to the problem that xm restore does not work correctly in that snapshot.

Rik said he would upgrade to a new snapshot for rawhide rather soon. Not sure when that will be, though.

Can anyone not using FC4 confirm problems with iptables and conntrack in the latest -unstable?

Best Regards,
Michael Paesold

Xen-users mailing list