WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem

from [Vladislav Kurz] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem
From: Vladislav Kurz <vladislav.kurz@xxxxxxxxxxx>
Date: Mon, 4 Jun 2007 14:13:34 +0200
Delivery-date: Mon, 04 Jun 2007 05:12:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200705311856.25408.alex.wilms@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <200705281233.41427.vladislav.kurz@xxxxxxxxxxx> <200705311830.55979.vladislav.kurz@xxxxxxxxxxx> <200705311856.25408.alex.wilms@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.5 
On Thursday 31 May 2007 18:56, Alexander Wilms wrote:
> On Donnerstag 31 Mai 2007, Vladislav Kurz wrote:
> > On Wednesday 30 May 2007 08:34, Alexander Wilms wrote:
> > > Hi Vladislav,
> > >
> > > this all sounds familiar to me. Both problems seem to be related to the
> > > TCP/UDP Checksum problem. If you would look with wireshark into your
> > > packets you would see a lot of wrong checksums. And this explains both:
> > > Because of this the FTP nat helper doesn't rewrite the re-transmitted
> > > packets anymore and also confuses the rest of the connection tracking.
> > >
> > >
> > > Solution is quite simple. Switch of tx checksumming of your nic(s).
> > > E.g. "ethtool -K eth0 tx off"
> > > You have to find out which of your nics need it. In my setup I had to
> > > switch it off in dom0 and domU on all physical nics.
> > >
> > > HTH,
> > > Alex
> >
> > Thanks a lot Alex,
> >
> > I switched off checksum offloading on domU and FTP NAT helper started to
> > work. I still get some INVALID packets with FIN & RST flag set, and some
> > bad tcp checksum in dom0 - domU traffic, so I will monitor it and perhaps
> > switch off checksum on the real eth0 and xen-br0 (or the vifX) in dom0.

I have switched off all checksum offloading (tx and rx), on all interfaces 
(physical, virtual, even bridge) and still I have a lot of invalid packets.
NAT FPT helper works, but some packets miss DNAT rules and get logged as 
INVALID in INPUT (instead of being forwarded to domU host). Most of them are 
packets with flag FIN set. They correlate with records in apache access log, 
and often appear multiple times as the other party retransmits them.

Some packets in the oposite direction (domU -> internet) are marked INVALID as 
well, mostly ACK+FIN and ACK+SYN, I'm not sure if they pass trhough SNAT, or 
just get into the wild with private source IP.

Sniffing for bad checksum (tshark -i eth0 -R "tcp.checksum_bad == 1") does not 
yield any results, so this might be completely different issue. Has anyone 
seen this behavior and found a solution for it.

> But in shorewall list we discussed it and also in a xen book I read it was
> topic. 

Could you specify which book? Is it available on-line?

> So the best hint so far you can find is maybe in the shorewall 
> documentation written by Tom Eastep.
> http://www.shorewall.net/XenMyWay.html

Thanks, but this does not help any more than you already did :-)

> Btw. my way of xen is a bit different. I'm running my firewall in a domU
> (with PCI passthrough'ed nics) and (of course) have still same effects.
>
> HTH,
> Alex
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

-- 
S pozdravem
        Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) ========= a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net ======= vladislav.kurz@xxxxxxxxxxx ===


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem, Vladislav Kurz <=
Previous by Date:  RE: [Xen-users] Windows HVM - orderly shutdown, James Harper
Next by Date:  Re: [Xen-users] WinXP cannot partition disk, Rob van Oostveen
Previous by Thread:  RE: [Xen-users] Windows HVM - orderly shutdown, Schober Walter
Next by Thread:  [Xen-users] Any best practices for best DomU I/O performance?, Stephan Austermühle
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy