WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Problem start iptables - udp broken (Workaround)

To: "Torsten Lehmann" <tlehmann@xxxxxxxxxxxxx>
Subject: Re: [Xen-users] Problem start iptables - udp broken (Workaround)
From: "Abel Martín" <abel.martin.ruiz@xxxxxxxxx>
Date: Wed, 29 Nov 2006 16:37:01 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 29 Nov 2006 07:37:38 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TrM/y+v6Dq/D3L83QvGNkqsvHWMrssIs3tU9+pv+YPcGXAQieEmXyOPjCTGaziUbpIgKDxPVeHnHb4DLWV269U8QGRBW7aMhudXRxejqecIYU6ZX9Fg1uixAufBlPu7LcSQINRzgygyyJaNWeEfMCGCDx/Nubor0FOG86yi8V0Y=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.53.0611291601270.13401@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <E4D4F968E9F97F45B21B72BDCAD8E1B803C126F4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <915136920611280122l588565b2u5845651f0fac3a5e@xxxxxxxxxxxxxx> <Pine.LNX.4.53.0611290729001.13401@xxxxxxxxxxxxxxxxx> <Pine.LNX.4.53.0611291601270.13401@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
11/29/06, Torsten Lehmann <tlehmann@xxxxxxxxxxxxx> wrote:
On Wed, 29 Nov 2006, Torsten Lehmann wrote:

>
> - If one has very much time, then one sees also from time to time
> any packets in both directions....
>
> -> udp-packets not blocked generally.
>
> - Why the knot only solved after that to remove the module ip_conntrack?
>
> - to reproduce this problem is sufficient:
>   # modprobe ip_conntrack
>

- Workaround: remove ip_conntrack from kernel:

# cd xen-3.0-testing/linux-2.6.16-xen0
# find . -name ip_conntrack.ko -exec rm -f {} \; -print
# find /lib/modules/`uname -r` -name ip_conntrack.ko -exec rm -f {} \; -print

l0# diff .config.old .config
...
< CONFIG_IP_NF_CONNTRACK=m
> # CONFIG_IP_NF_CONNTRACK is not set

l0:# make modules modules_install

l0:# /etc/init.d/netfilter start
Applying iptables firewall rules:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
  - "No chain...": rules which need ip_conntrack

- following rule-set was tested:

  $IPTABLES -i $EXTIF -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
   # -> iptables: No chain/target/match by that name
   #    "--state" required ip_conntrack

  $IPTABLES -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j 
domU
  $IPTABLES -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j 
domU
  $IPTABLES -A domU -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL --log-prefix 
"IN testdomU: "
   # -> iptables: No chain/target/match by that name
   #    "-m physdev" required ip_conntrack (??)

Did you create the chain named domU with "iptables -N domU"? The
iptables state module won't work without the conntrack module. Please,
don't disable ip_conntrack and don't just copy and paste the rules I
sent. Adapt them to your needs. In my box there's no peth0, but eth0.
This is because the way networking scripts configure Xen networking
depending on the Xen package one installs.


  $IPTABLES -i peth0 -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG _LEVEL 
--log-prefix "IN testpeth: "
   # -> nomatch...rule not working

  $IPTABLES -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL --log-prefix 
"IN test: "
   # -> match....OK


regards Torsten
Launoc



Regards.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users