This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] dom0 can see connections from domU-s

To: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Subject: Re: [Xen-users] dom0 can see connections from domU-s
From: Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
Date: Tue, 25 Aug 2009 00:26:01 -0300
Cc: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 24 Aug 2009 20:26:50 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=L2AbmxmLbSGJNglM6pM+nrU2GHBI3xsDlKJHyqeDX/0=; b=yCHku9WBeJoMcEoG8tLiJtuhU2rWAjPNYgeE/6JUmmI3jVxx//8lqDT5LqeodoEVgW 7iMZZrJjGpRTM0hscJNqrocEuGhA63XJvtP9Q9b4erJlOKCjC+fGjyQgTFmeE5rMt0tE IIbt02F1jUI2wUpUoB9Ngsl2jBBOfYmMT9Vs8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Pv53IzkZ3Z4xJCP6skgCuRFvEin8SaiB6ah0GUc0ZEgn+8h2e9b8WXE1F+8ShZ00C6 7jKpofwjejOGejcG94KoemLd+5yDiCWprtzUqGkinUmn/JK3mEbcdMGIUtv6WQ2kXcfE VStQswbd0gStVZ4peFFTLKXyzU94G0w9mBC1s=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <7207d96f0908242013m1b1cc33cgca0a2982cfb02aa@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4A9318D3.9010106@xxxxxxxxx> <6b7f6eb0908242001q3e414e59p8facf9f0de5eb5ef@xxxxxxxxxxxxxx> <7207d96f0908242013m1b1cc33cgca0a2982cfb02aa@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
2009/8/25 Fajar A. Nugraha <fajar@xxxxxxxxx>
On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins
Cordeiro<thiagocmartinsc@xxxxxxxxx> wrote:
>  I have this problem at my Linux border gateway, it can not even have the
> NAT module loaded, even if with no NAT rules, the Kernel drops a lot of
> packages on a busy network, saying that the NAT conntrack table is full... I
> hate it!   :-P

Is it a dom0? Or is it simply a Linux router, in which case this is
not directly Xen-related?

It is a PV domU Linux router... on a dom0 with others routers/firewalls domUs...
But even with bare Linux, I see the same behavior...

>  The BSDs systems suffer from this evil behavior too?
>  I never sent a mail to Linus before but, this can be a good time to do so.
>  I say this because I believe that Linux should not drop network packets
> only by loading some module.
>  ...or simply we do not know how to adjust it!

What's the value of /proc/sys/net/ipv4/ip_conntrack_max ?
It's 65536 by default on RHEL, and should be adjustable using something like
echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max

If you're feeling brave, you can adjust some timeouts
(/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead
connections dropped sooner, thus reducing overall connection count.

Sound's pretty easy!! I'll try it...


Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>