WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem

from [Alexander Wilms] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem
From: Alexander Wilms <alex.wilms@xxxxxxxxxxxxx>
Date: Thu, 31 May 2007 18:56:25 +0200
Delivery-date: Thu, 31 May 2007 09:54:49 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200705311830.55979.vladislav.kurz@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <200705281233.41427.vladislav.kurz@xxxxxxxxxxx> <200705300834.04726.a.wilms@xxxxxxxxxx> <200705311830.55979.vladislav.kurz@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.7 
On Donnerstag 31 Mai 2007, Vladislav Kurz wrote:
> On Wednesday 30 May 2007 08:34, Alexander Wilms wrote:
> > Hi Vladislav,
> >
> > this all sounds familiar to me. Both problems seem to be related to the
> > TCP/UDP Checksum problem. If you would look with wireshark into your
> > packets you would see a lot of wrong checksums. And this explains both:
> > Because of this the FTP nat helper doesn't rewrite the re-transmitted
> > packets anymore and also confuses the rest of the connection tracking.
> >
> >
> > Solution is quite simple. Switch of tx checksumming of your nic(s). E.g.
> > "ethtool -K eth0 tx off"
> > You have to find out which of your nics need it. In my setup I had to
> > switch it off in dom0 and domU on all physical nics.
> >
> > HTH,
> > Alex
>
> Thanks a lot Alex,
>
> I switched off checksum offloading on domU and FTP NAT helper started to
> work. I still get some INVALID packets with FIN & RST flag set, and some
> bad tcp checksum in dom0 - domU traffic, so I will monitor it and perhaps
> switch off checksum on the real eth0 and xen-br0 (or the vifX) in dom0.
>
> Anyway I think this must have affected quite a lot of xen users. TCP
> checksum offloading must break any statefull firewall in dom0, or do I miss
> something? Why there is no note about this in docs? Or is our configuration
> so unusual? (dom0 as a firewall in front of domU guests)
>
> Thanks
>       Vladislav Kurz


Hi Vladislav,

no,  not so unusual. So also I don't understand why not more people reporting 
this issue on the xen lists. (There was only one thread that I remember that 
was related to that issue. It was like: Everything works, but DNS resolution 
fails. This was also related to offloading features of the nic.)

But in shorewall list we discussed it and also in a xen book I read it was 
topic. So the best hint so far you can find is maybe in the shorewall 
documentation written by Tom Eastep. 
http://www.shorewall.net/XenMyWay.html

Btw. my way of xen is a bit different. I'm running my firewall in a domU (with 
PCI passthrough'ed nics) and (of course) have still same effects.

HTH,
Alex



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] low network performance, Petersson, Mats
Next by Date:  [Xen-users] xen 3.0 directory structure, pluttero\@libero\.it
Previous by Thread:  Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem, Vladislav Kurz
Next by Thread:  [Xen-users] windows guest, ko0nz
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy