RE: [Xen-devel] [PATCH] Network Checksum Removal

Hello

It seems this patch breaks something in netfilter.

My setup is classical bridge (no veth0/vif0.0) plus some stateful
firewalling on Dom0

With tx offload off and firewall on, pings from Dom0 to DomU works, ssh
from Dom0 to DomU works.
With tx offload on and firewall off, idem.
With tx offload on and firewall on, ping goes well but ssh not.

Here are the iptables rules :

iptables -P INPUT DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i xen-br0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -P OUTPUT ACCEPT


Here is a capture of vif1.0 :

IP DOM0.2486 > DOM1.22: S
IP DOM1.22 > DOM0.2486: S
IP DOM0.2486 > DOM1.22: . ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
...

The response from the original SYN goes through the third rule, but the
ACKs don't.

I added a rule to log packets with invalid state and the ACKs got
logged.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

[Xen-devel] Re: [PATCH] vmx-pit-reset.patch, Keir Fraser

Next by Date:

Re: [Xen-devel] [PATCH] Network Checksum Removal, Jon Mason

Previous by Thread:

Re: [Xen-devel] [PATCH] Network Checksum Removal, Jon Mason

Next by Thread:

Re: [Xen-devel] [PATCH] Network Checksum Removal, Keir Fraser

Indexes:

[Date] [Thread] [Top] [All Lists]