http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=82
spshealy@xxxxxxxxxxxx changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From spshealy@xxxxxxxxxxxx 2005-08-29 22:43 -------
I seem to be having the same problem. I am running unstable from Aug 25 with
debian sarge for both dom0 and domU. I have iptables setup on dom0 to firewall
for both dom0 and domUs(using the forward chain). I am running on a dell 1850
which has an e1000 in it... I am also seen bug #185..I had this current problem
b/4 the introduction of bug 185.
My symptoms are that connections seem to be stalling out. Looking futher into
my logs I see that establised connection are getting forgotten by the iptables
and being blocked by the firewall for both dom0 and domU's. Also empirically it
seems that the behahiour only occurs after the box has been up for little while.
Below is cut from one of my logs(IP's changed). Whats going on here is that I
have and http connection and it can't close the connection. So the http client
appears to hang. I have also seen this happen with an establised ssh session
usualy when cat'ing a large text file. Once this happens for the ssh session..
game over the connection is no longer useful. I have seen this happend on bost
dom0 and domUs... and have also seen with just the plain ACK flag set.
I am not an expert iptables guy but I think I have it right...please let me
know if I don't.. Maybe this bug should be reopened. Food for thought
Aug 29 17:34:31 localhost kernel: PASS-unknown:IN=xen-br0 OUT=xen-br0
PHYSIN=eth0 PHYSOUT=vif2.0 SRC=167.7.9.9 DST=207.235.11.11 LEN=72 TOS=0x00
PREC=0x00 TTL=52 ID=14663 PROTO=TCP SPT=3519 DPT=80 WINDOW=15216 RES=0x00 ACK
FIN URGP=0
Aug 29 17:34:33 localhost kernel: PASS-unknown:IN=xen-br0 OUT=xen-br0
PHYSIN=eth0 PHYSOUT=vif2.0 SRC=167.7.9.9 DST=207.235.11.11 LEN=80 TOS=0x00
PREC=0x00 TTL=52 ID=14665 PROTO=TCP SPT=3519 DPT=80 WINDOW=15216 RES=0x00 ACK
URGP=0
My firewall config for dom0 doing filtering on the bridge:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
in_i1 all -- anywhere anywhere
in_i2 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `IN-unknown:'
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
in_r1 all -- anywhere anywhere PHYSDEV match
--physdev-in eth0 --physdev-out vif+
out_r1 all -- anywhere anywhere PHYSDEV match
--physdev-in vif+ --physdev-out eth0
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `PASS-unknown:'
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
out_i1 all -- anywhere anywhere
out_i2 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `OUT-unknown:'
DROP all -- anywhere anywhere
Chain in_i1 (1 references)
target prot opt source destination
in_i1_ssh_s1 all -- anywhere anywhere
in_i1_ping_s2 all -- anywhere anywhere
in_i1_all_c3 all -- anywhere anywhere
in_i1_irc_c4 all -- anywhere anywhere
in_i1_ftp_c5 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `IN-i1:'
DROP all -- anywhere anywhere
Chain in_i1_all_c3 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_i1_ftp_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
dpts:1024:4999 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
dpts:1024:4999 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpts:1024:4999 state ESTABLISHED
Chain in_i1_irc_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd
dpts:1024:4999 state ESTABLISHED
Chain in_i1_ping_s2 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state
NEW,ESTABLISHED icmp echo-request
Chain in_i1_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:ssh state NEW,ESTABLISHED
Chain in_i2 (1 references)
target prot opt source destination
in_i2_ssh_s1 all -- anywhere anywhere
in_i2_ping_s2 all -- anywhere anywhere
in_i2_all_c3 all -- anywhere anywhere
in_i2_irc_c4 all -- anywhere anywhere
in_i2_ftp_c5 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `IN-i2:'
DROP all -- anywhere anywhere
Chain in_i2_all_c3 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_i2_ftp_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
dpts:1024:4999 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
dpts:1024:4999 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpts:1024:4999 state ESTABLISHED
Chain in_i2_irc_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd
dpts:1024:4999 state ESTABLISHED
Chain in_i2_ping_s2 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state
NEW,ESTABLISHED icmp echo-request
Chain in_i2_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:ssh state NEW,ESTABLISHED
Chain in_r1 (1 references)
target prot opt source destination
in_r1_ssh_s1 all -- anywhere anywhere
in_r1_http_s2 all -- anywhere anywhere
in_r1_ping_s3 all -- anywhere anywhere
in_r1_smtp_s4 all -- anywhere anywhere
in_r1_all_c5 all -- anywhere anywhere
in_r1_irc_c6 all -- anywhere anywhere
in_r1_ftp_c7 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
Chain in_r1_all_c5 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_r1_ftp_c7 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpts:1024:65535 state ESTABLISHED
Chain in_r1_http_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:www state NEW,ESTABLISHED
Chain in_r1_irc_c6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd
dpts:1024:65535 state ESTABLISHED
Chain in_r1_ping_s3 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state
NEW,ESTABLISHED icmp echo-request
Chain in_r1_smtp_s4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere m12.graysail.com tcp spts:1024:65535
dpt:smtp state NEW,ESTABLISHED
Chain in_r1_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:ssh state NEW,ESTABLISHED
Chain out_i1 (1 references)
target prot opt source destination
out_i1_ssh_s1 all -- anywhere anywhere
out_i1_ping_s2 all -- anywhere anywhere
out_i1_all_c3 all -- anywhere anywhere
out_i1_irc_c4 all -- anywhere anywhere
out_i1_ftp_c5 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `OUT-i1:'
DROP all -- anywhere anywhere
Chain out_i1_all_c3 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
NEW,ESTABLISHED
Chain out_i1_ftp_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_i1_irc_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpt:ircd state NEW,ESTABLISHED
Chain out_i1_ping_s2 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
icmp echo-reply
Chain out_i1_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
dpts:1024:65535 state ESTABLISHED
Chain out_i2 (1 references)
target prot opt source destination
out_i2_ssh_s1 all -- anywhere anywhere
out_i2_ping_s2 all -- anywhere anywhere
out_i2_all_c3 all -- anywhere anywhere
out_i2_irc_c4 all -- anywhere anywhere
out_i2_ftp_c5 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
LOG all -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `OUT-i2:'
DROP all -- anywhere anywhere
Chain out_i2_all_c3 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
NEW,ESTABLISHED
Chain out_i2_ftp_c5 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_i2_irc_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999
dpt:ircd state NEW,ESTABLISHED
Chain out_i2_ping_s2 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
icmp echo-reply
Chain out_i2_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
dpts:1024:65535 state ESTABLISHED
Chain out_r1 (1 references)
target prot opt source destination
out_r1_ssh_s1 all -- anywhere anywhere
out_r1_http_s2 all -- anywhere anywhere
out_r1_ping_s3 all -- anywhere anywhere
out_r1_smtp_s4 all -- anywhere anywhere
out_r1_all_c5 all -- anywhere anywhere
out_r1_irc_c6 all -- anywhere anywhere
out_r1_ftp_c7 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
Chain out_r1_all_c5 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
NEW,ESTABLISHED
Chain out_r1_ftp_c7 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_r1_http_s2 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:www
dpts:1024:65535 state ESTABLISHED
Chain out_r1_irc_c6 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
dpt:ircd state NEW,ESTABLISHED
Chain out_r1_ping_s3 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
icmp echo-reply
Chain out_r1_smtp_s4 (1 references)
target prot opt source destination
ACCEPT tcp -- m12.graysail.com anywhere tcp spt:smtp
dpts:1024:65535 state ESTABLISHED
Chain out_r1_ssh_s1 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
dpts:1024:65535 state ESTABLISHED
Output of ifconfig
eth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:219817 errors:0 dropped:0 overruns:0 frame:0
TX packets:189417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38944429 (37.1 MiB) TX bytes:104933903 (100.0 MiB)
Base address:0xdcc0 Memory:dfae0000-dfb00000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
veth0 Link encap:Ethernet HWaddr 00:14:22:0F:3B:53
inet addr:207.235.9.9 Bcast:207.235.9.112 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:63364 errors:0 dropped:0 overruns:0 frame:0
TX packets:28120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5947899 (5.6 MiB) TX bytes:5540885 (5.2 MiB)
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28120 errors:0 dropped:0 overruns:0 frame:0
TX packets:63364 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5540885 (5.2 MiB) TX bytes:5947899 (5.6 MiB)
vif2.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:143400 errors:0 dropped:0 overruns:0 frame:0
TX packets:155990 errors:0 dropped:23 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:90660971 (86.4 MiB) TX bytes:19900098 (18.9 MiB)
xen-br0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39667 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2467175 (2.3 MiB) TX bytes:0 (0.0 b)
--
Configure bugmail:
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs
|
Home