[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0


  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: Olivier Hanesse <olivier.hanesse@xxxxxxxxx>
  • Date: Fri, 17 Dec 2010 16:48:44 +0100
  • Delivery-date: Fri, 17 Dec 2010 07:49:43 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=FpXvS4FAD3ZLvimMIjEQoWT4s2oiVRPe2D49m3PA+vcAroJnbApSVKUfdAM6v6On04 d9Ieo5Zk2VA7cZCOBLfttuJsy+x5F6LvpBSOqtFD6yxlvEMYhTeiW/dSHly5l6CixGUz 5iIUqaGV2ffkE+3ivLUI1Oua0Zej8xyLxKGfE=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Hi,

I recently upgraded a debian xen 3.2 system to xen 4.
Then I started to see some strange kernel logs : "nf_conntrack: table full, dropping packet."

I was pretty sure not to have enable conntracking in my dom0.
I find out that it was the revision "19540" of the "vif-common.sh" script that load the nf_conntrack module.

So now my dom0 logs every connection my domU are doing. With a few domUs, I am reaching the limit of conntrack table very quickly.
On debian the default "net.netfilter.nf_conntrack_max" is set to "16400".
I set it to "65536" to temporary resolve my network issue but that's not the point.

Is it possible to add an option in the xend-config.sxp configuration files, something like (handle_iptable yes/no), if we want to handle iptable or not ?

Moreover, for example on on debian, FORWARD policy is set to ACCEPT by default. So adding theses rules are useless BUT they are loading some modules which can lead to a network issue :(

Regards

Olivier
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.