This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] dom0 can see connections from domU-s

To: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] dom0 can see connections from domU-s
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Tue, 25 Aug 2009 10:13:22 +0700
Delivery-date: Mon, 24 Aug 2009 20:14:05 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <6b7f6eb0908242001q3e414e59p8facf9f0de5eb5ef@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4A9318D3.9010106@xxxxxxxxx> <6b7f6eb0908242001q3e414e59p8facf9f0de5eb5ef@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins
Cordeiro<thiagocmartinsc@xxxxxxxxx> wrote:
>  I have this problem at my Linux border gateway, it can not even have the
> NAT module loaded, even if with no NAT rules, the Kernel drops a lot of
> packages on a busy network, saying that the NAT conntrack table is full... I
> hate it!   :-P

Is it a dom0? Or is it simply a Linux router, in which case this is
not directly Xen-related?

>  The BSDs systems suffer from this evil behavior too?
>  I never sent a mail to Linus before but, this can be a good time to do so.
>  I say this because I believe that Linux should not drop network packets
> only by loading some module.
>  ...or simply we do not know how to adjust it!

What's the value of /proc/sys/net/ipv4/ip_conntrack_max ?
It's 65536 by default on RHEL, and should be adjustable using something like
echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max

If you're feeling brave, you can adjust some timeouts
(/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead
connections dropped sooner, thus reducing overall connection count.


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>