xen-users

[Top] [All Lists]

Re: [Xen-users] Problem start iptables - udp broken (Workaround)

from [Torsten Lehmann]

[Permanent Link][Original]

To:	Abel Martín <abel.martin.ruiz@xxxxxxxxx>
Subject:	Re: [Xen-users] Problem start iptables - udp broken (Workaround)
From:	Torsten Lehmann <tlehmann@xxxxxxxxxxxxx>
Date:	Thu, 30 Nov 2006 08:19:35 +0100 (CET)
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Thu, 30 Nov 2006 05:24:38 -0800
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<915136920611290737v6167cfefv8a7fec49c4267aa1@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<E4D4F968E9F97F45B21B72BDCAD8E1B803C126F4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <915136920611280122l588565b2u5845651f0fac3a5e@xxxxxxxxxxxxxx> <Pine.LNX.4.53.0611290729001.13401@xxxxxxxxxxxxxxxxx> <Pine.LNX.4.53.0611291601270.13401@xxxxxxxxxxxxxxxxx> <915136920611290737v6167cfefv8a7fec49c4267aa1@xxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Wed, 29 Nov 2006, [ISO-8859-1] Abel Martín wrote:

> 11/29/06, Torsten Lehmann <tlehmann@xxxxxxxxxxxxx> wrote:
> > On Wed, 29 Nov 2006, Torsten Lehmann wrote:
> >
> > >
> > > - If one has very much time, then one sees also from time to time
> > > any packets in both directions....
> > >
> > > -> udp-packets not blocked generally.
> > >
> > > - Why the knot only solved after that to remove the module ip_conntrack?
> > >
> > > - to reproduce this problem is sufficient:
> > >   # modprobe ip_conntrack
> > >
> >
> > - Workaround: remove ip_conntrack from kernel:
> >
> > # cd xen-3.0-testing/linux-2.6.16-xen0
> > # find . -name ip_conntrack.ko -exec rm -f {} \; -print
> > # find /lib/modules/`uname -r` -name ip_conntrack.ko -exec rm -f {} \; 
> > -print
> >
> > l0# diff .config.old .config
> > ...
> > < CONFIG_IP_NF_CONNTRACK=m
> > > # CONFIG_IP_NF_CONNTRACK is not set
> >
> > l0:# make modules modules_install
> >
> > l0:# /etc/init.d/netfilter start
> > Applying iptables firewall rules:
> > iptables: No chain/target/match by that name
> > iptables: No chain/target/match by that name
> > iptables: No chain/target/match by that name
> >   - "No chain...": rules which need ip_conntrack
> >
> > - following rule-set was tested:
> >
> >   $IPTABLES -i $EXTIF -A INPUT   -m state --state ESTABLISHED,RELATED -j 
> > ACCEPT
> >    # -> iptables: No chain/target/match by that name
> >    #    "--state" required ip_conntrack
> >
> >   $IPTABLES -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  
> > -j domU
> >   $IPTABLES -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  
> > -j domU
> >   $IPTABLES -A domU -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL 
> > --log-prefix "IN testdomU: "
> >    # -> iptables: No chain/target/match by that name
> >    #    "-m physdev" required ip_conntrack (??)
>
> Did you create the chain named domU with "iptables -N domU"? The
Yes. I dit it.

> iptables state module won't work without the conntrack module. Please,
> don't disable ip_conntrack and don't just copy and paste the rules I
> sent. Adapt them to your needs. In my box there's no peth0, but eth0.
> This is because the way networking scripts configure Xen networking
> depending on the Xen package one installs.

But, if I load the module "ip_conntrack" only (without set a iptables-rule),
the network (udp) is broken!
<ot>Load a Modules into kernel should never cause trouble.</ot>


regards Torsten
Launoc

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: [Xen-users] Problem start iptables - udp broken, PAINCHAUD Christophe Re: [Xen-users] Problem start iptables - udp broken, Abel Martín Re: [Xen-users] Problem start iptables - udp broken, Bill Maidment Re: [Xen-users] Problem start iptables - udp broken, Abel Martín Re: [Xen-users] Problem start iptables - udp broken, Torsten Lehmann Re: [Xen-users] Problem start iptables - udp broken, Abel Martín Re: [Xen-users] Problem start iptables - udp broken, Jaroslaw Zdrzalek Re: [Xen-users] Problem start iptables - udp broken, Torsten Lehmann Re: [Xen-users] Problem start iptables - udp broken (Workaround), Torsten Lehmann Re: [Xen-users] Problem start iptables - udp broken (Workaround), Abel Martín Re: [Xen-users] Problem start iptables - udp broken (Workaround), Torsten Lehmann <= Re: [Xen-users] Problem start iptables - udp broken (Workaround), Abel Martín Re: [Xen-users] Problem start iptables - udp broken (Workaround), Torsten Lehmann Re: [Xen-users] Problem start iptables - udp broken (Workaround), Abel Martín

Previous by Date:	[Xen-users] snapshot, vista, rtl8139=broken?, Aaron Botsis
Next by Date:	[Xen-users] Re: VT not recognized on Intel Xeon 5130, Ralph Gauges
Previous by Thread:	Re: [Xen-users] Problem start iptables - udp broken (Workaround), Abel Martín
Next by Thread:	Re: [Xen-users] Problem start iptables - udp broken (Workaround), Abel Martín
Indexes:	[Date] [Thread] [Top] [All Lists]