WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] xen, fc4, bridging, iptables and conntrack problem

from [Paul Jakma] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] xen, fc4, bridging, iptables and conntrack problem
From: Paul Jakma <paul@xxxxxxxx>
Date: Fri, 24 Jun 2005 17:54:00 +0100 (IST)
Delivery-date: Fri, 24 Jun 2005 16:53:00 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Mail-copies-to: paul@xxxxxxxxxxxxxxxxxx
Mail-followup-to: paul@xxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Hi,
I'm testing out Xen on FC4. I'm using bridging for networking, as well as iptables to firewall, configured with the standard Fedora 'system-config-security-level' tool. However I have really strange problem with conntrack not seeming to catch outbound connections. This prevents outbound connections working from dom0. Connections from domU's however /do/ work. 

The problem appears to boil down to the following:

Chain INPUT (policy ACCEPT 210K packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination
 111K 8778K RH-Firewall-1-INPUT  all  --  xen-br+ any     anywhere             
anywhere
    0     0 RH-Firewall-1-INPUT  all  --  vif+   any     anywhere             
anywhere
    1    73 RH-Firewall-1-INPUT  all  --  eth0   any     anywhere             
anywhere

Chain FORWARD (policy ACCEPT 2812K packets, 311M bytes)
 pkts bytes target     prot opt in     out     source               destination
<empty>

Chain RH-Firewall-1-INPUT (3 references)
 pkts bytes target     prot opt in     out     source               destination
   33  2485 ACCEPT     all  --  lo     any     anywhere             anywhere
  253 16338 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp any
    0     0 ACCEPT     ipv6-crypt--  any    any     anywhere   anywhere
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere    anywhere
68483 6004K ACCEPT     all  --  any    any     anywhere             anywhere    
        state RELATED,ESTABLISHED
<snip remaining standard RH-Firewall rules to allow in certain ports>
The FORWARD chain is empty and policy ACCEPT, which maybe explains why domU's work.
The INPUT side of stuff though seems to not work because the RELATED,ESTABLISHED conntrack rule doesn't match. And this would appear to be because the original /outgoing/ packets are never caught by connection track and entered into its state.
If I tcpdump xen-br0, I can see packets leave, and I can even see the remote SYN|ACK come in, which is very strange (and not inline with my only hypothesis so far, a conntrack problem): 

# tcpdump -i xen-br0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xen-br0, link-type EN10MB (Ethernet), capture size 96 bytes
18:48:54.138909 IP domain0.38261 > remote.smtp: S 710403207:710403207(0) win 5840 <mss 1460,sackOK,timestamp 181127121 0,nop,wscale 2> 18:48:54.271062 IP remote.smtp > domain0.38261: S 746149051:746149051(0) ack 710403208 win 5792 <mss 1460,sackOK,timestamp 1332954470 181127121,nop,wscale 0> 18:48:57.138797 IP domain0.38261 > remote.smtp: S 710403207:710403207(0) win 5840 <mss 1460,sackOK,timestamp 181127421 0,nop,wscale 2> 18:48:57.270302 IP remote.smtp > domain0.38261: S 749148214:749148214(0) ack 710403208 win 5792 <mss 1460,sackOK,timestamp 1332954770 181127421,nop,wscale 0> 

Has anyone seen this problem before?
Is it specific to bridging (but it affects local packets though), to Xen somehow, to FC4? 

regards,
--
Paul Jakma      paul@xxxxxxxx   paul@xxxxxxxxx  Key ID: 64A2FF6A
Fortune:
That's always the way when you discover something new; everyone thinks
you're crazy.
                -- Evelyn E. Smith

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] NetBSD oddity, Mark Williamson
Next by Date:  Re: [Xen-users] network (NAT?) problem, Markus Lude
Previous by Thread:  [Xen-users] NetBSD oddity, Sascha Retzki
Next by Thread:  re: [Xen-users] xen, fc4, bridging, iptables and conntrack problem, Jon Howse
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy