This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Masquerading problems - XenU 3.0 on x86_64

To: Jim Pick <jim@xxxxxxxxxxx>
Subject: Re: [Xen-devel] Masquerading problems - XenU 3.0 on x86_64
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Sun, 9 Apr 2006 08:46:51 +0100
Cc: xen-devel Devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Sun, 09 Apr 2006 00:50:14 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <44384EDA.2080106@xxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <44384EDA.2080106@xxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

On 9 Apr 2006, at 01:01, Jim Pick wrote:

I'm trying to migrate my Xen sessions installed on 32-bit Xen 2.0 server to a 64-bit Xen 3.0 server.

On the Xen 2.0 server (32-bit), I built a DomU kernel with masquerading, and I use that to do NAT for some private networks running on the same box.

When I tried to do it with Xen 3.0 (64-bit), I couldn't get it to work. I had to build a custom DomU kernel (from xen-3.0-testing.hg, 2.6.16, 2 days ago) in order to include the netfilter/iptables code. ICMP works. TCP doesn't. Non-masquerading traffic is OK. I had the same problems with the 2.6.12 kernel from Xen 3.0.1.

I captured some of the traffic, and ethereal is showing that the masqueraded traffic being output has bad TCP checksums.

I'm going to have to do some debugging to try to figure out what's going wrong.

Has anybody else encountered this? Also, if it's already been fixed somewhere, I'd love to know. Any Netfilter debugging tips would also be appreciated.

Turn off tx checksum offload in your domU's using ethtool. We had fixed some forms of NAT with our checksum offload, but maybe not for your type of setup.

 -- Keir

Xen-devel mailing list