Re: [Xen-users] dom0 can see connections from domU-s

To:	Deyan Chepishev <dchepishev@xxxxxxxxx>
Subject:	Re: [Xen-users] dom0 can see connections from domU-s
From:	Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
Date:	Tue, 25 Aug 2009 00:01:31 -0300
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Mon, 24 Aug 2009 20:02:18 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=MuETPD4eB1nGApgkapsZXgGt14o9zHQKynhovIm2QS8=; b=u+f870sVvWsBLPPWS3zBJ/f45NvXOEPopsfyVCTAOVplB0CyovGE7YkqFrx6pNeWZB 6VcttFsE7G8P+1UepuqFB9WvQiMUQFrdW0fAE3+7HTZfb1ExNbJ7urc8oAALHSBIvzzI fXF6kJsZ1JoH8/TvKg0+rG2UA75EReNVM5LEw=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=JTex+MqNarDO4Zo6fj3nfaI9VGjg5jcWOjRQ3Kl1tZhfdAjULKowGLZAovm8aY+YGt gxGcoqQakjF82h8XnkM8Es2HCz7mzmJnexz4H5r9ZSoRw9ONttMtMN8GU5NTd19EYmXs XHdL41rLtnW0IeRCBP1020WO99V4YQGhr8YPc=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<4A9318D3.9010106@xxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<4A9318D3.9010106@xxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Hi!

Who know who can fix this in Linux? Linus!?

I do the most weird solution for this annoying problem:

iptables -t nat -F
rmmod nf_conntrack_ipv4 nf_conntrack ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 iptable_nat
# to make sure:
rmmod nf_conntrack_ipv4 nf_conntrack ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 iptable_nat

I have this problem at my Linux border gateway, it can not even have the NAT module loaded, even if with no NAT rules, the Kernel drops a lot of packages on a busy network, saying that the NAT conntrack table is full... I hate it! :-P

The BSDs systems suffer from this evil behavior too?

I never sent a mail to Linus before but, this can be a good time to do so.

I say this because I believe that Linux should not drop network packets only by loading some module.

...or simply we do not know how to adjust it!

I confess that today this is the only issue that I have with Linux.

Cheers!
Thiago

2009/8/24 Deyan Chepishev <dchepishev@xxxxxxxxx>

Hello,

I have a little problem.

I can see all the guest (domU) connections in dom0's /proc/net/ip_conntrack. As you can imagine the conntrack table starts to get filled when lots of connections are made on domU machines. Is there a way to stop this behavior?

My config is:
OS: Centos 5.3
XEN: xen-3.3.1-0 manually compiled from gitco's SRPMS
Kernel: 2.6.18-128.4.1.el5xen on bot dom0 and domU

I have had exactly the same problem before, but it disappeared after I manually compiled kernel 2.6.18 with xen patches. However I need an more up to date kernel now and want to use xen kernel from centos.

I need help if someone know how can I prevent this from happening.

Thank you

Regards,
Deian

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] dom0 can see connections from domU-s