Re: [Xen-users] Problem start iptables - udp broken

On Tue, 28 Nov 2006, [ISO-8859-1] Abel Martín wrote:


....

> I forgot to ask you. Are you trying to filter traffic for domU in
> dom0? If you are trying to do this with iptables and Xen bridged
> networking it has no sense, since a bridged device is a link layer
> device and iptables works above at network and trasport layer. If you
> are using Xen routed networking I have no experience with such
> configuration.

Oh yes...
I also assumed so far eth0 sees everything.
Now i read xenwiki/XenNetworking and understand...perhaps.
(see question in my reply on "11/28/06, Bill Maidment")

iptables-rules was not bind expilizit to an interface.

...lamp ligths on...
I also tested  which is, if I bind iptables expilizit an peth0.
---------------------------------------------------------------------

EXTIF="peth0"
$IPTABLES -i $EXTIF -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG 
$LOG_LEVEL --log-prefix "IN test: "
$IPTABLES -i $EXTIF -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j DROP
$IPTABLES -i $EXTIF -A FORWARD -p tcp -s 0/0 -d 193.123.123.86 -m multiport 
--dport 23 -j LOG $LOG_LEVEL --log-prefix "fw nas: "
$IPTABLES -i $EXTIF -A FORWARD -p tcp -s 0/0 -d 193.123.123.86 -m multiport 
--dport 23 -j DROP


---------------------------------------------------------------------
 - l0:vif2.0 and l1:eth0 captured to same time only
 - testcommand: $ ls -laR ~

l0:~# tcpdump -vv -n -i peth0  host nfsserver and udp
08:02:47.777591 IP (tos 0x0, ttl 255, id 38933, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.803770947: reply ok 112
getattr DIR 7
55 ids 1104/110 [|nfs]
08:02:47.778281 IP (tos 0x0, ttl  64, id 13432, offset 0, flags [DF],
length: 140) 193.123.123.86.820548163 > 193.123.123.85.2049: 112 access
[|nfs]
08:02:47.778517 IP (tos 0x0, ttl 255, id 38934, offset 0, flags [DF],
length: 148) 193.123.123.85.2049 > 193.123.123.86.820548163: reply ok 120
access attr:
DIR 755 ids 1104/110 [|nfs]
08:02:47.779239 IP (tos 0x0, ttl  64, id 13433, offset 0, flags [DF],
length: 160) 193.123.123.86.837325379 > 193.123.123.85.2049: 132
readdirplus [|nfs]
08:02:47.780179 IP (tos 0x0, ttl 255, id 38935, offset 0, flags [+, DF],
length: 1500) 193.123.123.85.2049 > 193.123.123.86.837325379: reply ok
1472 readdirp
lus POST: DIR 755 ids 1104/110 [|nfs]
08:02:47.780198 IP (tos 0x0, ttl 255, id 38935, offset 1480, flags [DF],
length: 116) 193.123.123.85 > 193.123.123.86: udp
08:02:49.368860 IP (tos 0x0, ttl  64, id 13434, offset 0, flags [DF],
length: 160) 193.123.123.86.837325379 > 193.123.123.85.2049: 132
readdirplus [|nfs]
08:02:49.369606 IP (tos 0x0, ttl 255, id 38936, offset 0, flags [+, DF],
length: 1500) 193.123.123.85.2049 > 193.123.123.86.837325379: reply ok
1472 readdirp
lus POST: DIR 755 ids 1104/110 [|nfs]
08:02:49.369631 IP (tos 0x0, ttl 255, id 38936, offset 1480, flags [DF],
length: 116) 193.123.123.85 > 193.123.123.86: udp
08:02:52.568438 IP (tos 0x0, ttl  64, id 13435, offset 0, flags [DF],
length: 160) 193.123.123.86.837325379 > 193.123.123.85.2049: 132
readdirplus [|nfs]
08:02:52.569225 IP (tos 0x0, ttl 255, id 38937, offset 0, flags [+, DF],
length: 1500) 193.123.123.85.2049 > 193.123.123.86.837325379: reply ok
1472 readdirp
lus POST: DIR 755 ids 1104/110 [|nfs]
08:02:52.569245 IP (tos 0x0, ttl 255, id 38937, offset 1480, flags [DF],
length: 116) 193.123.123.85 > 193.123.123.86: udp

## vif="vif`xm list | grep vm3 | awk '{ print $2}'`.0"
l0:~# tcpdump -vv -n -i vif2.0  host nfsserver and udp
08:03:18.118795 IP (tos 0x0, ttl  64, id 16811, offset 0, flags [DF],
length: 140) 193.123.123.86.1626706499 > 193.123.123.85.2049: 112 access
[|nfs]
08:03:18.119052 IP (tos 0x0, ttl 255, id 42340, offset 0, flags [DF],
length: 148) 193.123.123.85.2049 > 193.123.123.86.1626706499: reply ok 120
access attr:
 DIR 755 ids 1104/110 [|nfs]
08:03:18.119796 IP (tos 0x0, ttl  64, id 16812, offset 0, flags [DF],
length: 136) 193.123.123.86.1643483715 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.120072 IP (tos 0x0, ttl 255, id 42341, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1643483715: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.120813 IP (tos 0x0, ttl  64, id 16813, offset 0, flags [DF],
length: 136) 193.123.123.86.1660260931 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.121081 IP (tos 0x0, ttl 255, id 42342, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1660260931: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.121790 IP (tos 0x0, ttl  64, id 16814, offset 0, flags [DF],
length: 136) 193.123.123.86.1677038147 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.122050 IP (tos 0x0, ttl 255, id 42343, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1677038147: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.122710 IP (tos 0x0, ttl  64, id 16815, offset 0, flags [DF],
length: 136) 193.123.123.86.1693815363 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.122969 IP (tos 0x0, ttl 255, id 42344, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1693815363: reply ok 112
getattr REG
755 ids 1104/110 [|nfs]
08:03:18.123604 IP (tos 0x0, ttl  64, id 16816, offset 0, flags [DF],
length: 136) 193.123.123.86.1710592579 > 193.123.123.85.2049: 108 getattr
[|nfs]
0) 193.123.123.85.2049 > 193.123.123.86.1710592579: reply ok 112 getattr
REG 644 ids 1104/110 [|nfs]
08:03:18.125002 IP (tos 0x0, ttl  64, id 16817, offset 0, flags [DF],
length: 136) 193.123.123.86.1727369795 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.125249 IP (tos 0x0, ttl 255, id 42346, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1727369795: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.125899 IP (tos 0x0, ttl  64, id 16818, offset 0, flags [DF],
length: 136) 193.123.123.86.1744147011 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.126161 IP (tos 0x0, ttl 255, id 42347, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1744147011: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.126794 IP (tos 0x0, ttl  64, id 16819, offset 0, flags [DF],
length: 136) 193.123.123.86.1760924227 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.127053 IP (tos 0x0, ttl 255, id 42348, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1760924227: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.127759 IP (tos 0x0, ttl  64, id 16820, offset 0, flags [DF],
length: 136) 193.123.123.86.1777701443 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.128021 IP (tos 0x0, ttl 255, id 42349, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1777701443: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.128688 IP (tos 0x0, ttl  64, id 16821, offset 0, flags [DF],
length: 136) 193.123.123.86.1794478659 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.128950 IP (tos 0x0, ttl 255, id 42350, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1794478659: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.129660 IP (tos 0x0, ttl  64, id 16822, offset 0, flags [DF],
length: 136) 193.123.123.86.1811255875 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.129919 IP (tos 0x0, ttl 255, id 42351, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1811255875: reply ok 112
getattr REG
644 ids 1104/110 [|nfs]
08:03:18.131141 IP (tos 0x0, ttl  64, id 16823, offset 0, flags [DF],
length: 136) 193.123.123.86.1828033091 > 193.123.123.85.2049: 108 getattr
[|nfs]

l1:~# tcpdump -vv -n -i eth0  host nfsserver   and udp
08:03:18.118610 IP (tos 0x0, ttl 255, id 42339, offset 0, flags [DF],
length: 140) 193.123.123.85.2049 > 193.123.123.86.1609929283: reply ok 112
getattr DIR
755 ids 1104/110 [|nfs]
08:03:18.118752 IP (tos 0x0, ttl  64, id 16811, offset 0, flags [DF],
length: 140) 193.123.123.86.1626706499 > 193.123.123.85.2049: 112 access
[|nfs]
08:03:18.119404 IP (tos 0x0, ttl 255, id 42340, offset 0, flags [DF],
length: 148) 193.123.123.85.2049 > 193.123.123.86.1626706499: reply ok 120
access attr:
 DIR 755 ids 1104/110 [|nfs]
08:03:18.119745 IP (tos 0x0, ttl  64, id 16812, offset 0, flags [DF],
length: 136) 193.123.123.86.1643483715 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.120688 IP (tos 0x0, ttl  64, id 16813, offset 0, flags [DF],
length: 136) 193.123.123.86.1660260931 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.121740 IP (tos 0x0, ttl  64, id 16814, offset 0, flags [DF],
length: 136) 193.123.123.86.1677038147 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.122663 IP (tos 0x0, ttl  64, id 16815, offset 0, flags [DF],
length: 136) 193.123.123.86.1693815363 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.123557 IP (tos 0x0, ttl  64, id 16816, offset 0, flags [DF],
length: 136) 193.123.123.86.1710592579 > 193.123.123.85.2049: 108 getattr
[|nfs]
08:03:18.377483 IP (tos 0x0, ttl  64, id 16828, offset 0, flags [DF],
length: 160) 193.123.123.86.1895141955 > 193.123.123.85.2049: 132
readdirplus [|nfs]
08:03:18.865407 IP (tos 0x0, ttl  64, id 16829, offset 0, flags [DF],
length: 160) 193.123.123.86.1895141955 > 193.123.123.85.2049: 132
readdirplus [|nf

---------------------------------------------------------------------------

- If one has very much time, then one sees also from time to time
any packets in both directions....

-> udp-packets not blocked generally.

- Why the knot only solved after that to remove the module ip_conntrack?

- to reproduce this problem is sufficient:
  # modprobe ip_conntrack



>
> Or maybe you are trying to run iptables on domU... Please, provide this info.
>

unpractically.
Server is in productive use.
(i must also to compile modules and new a kernel and reboot all VM)


regards Torsten
launoc

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] Problem start iptables - udp broken
