[Xen-users] Bridge does not deliver all packets

[Alexander Feder <e0126212@xxxxxxxxxxxxxxxxxx>]

Hi!

I was forced to upgrade from a perfectly working system (debian sid,  
kernel 2.6.16-1 with xen 3.0.2) to 2.6.18 with xen 3.0.3 due to some  
obscure reasons.
Well, after everything was set up I realized that my domUs can no  
longer communicate as before.
After downgrading to 2.6.16 with 3.0.2 again, the problem remains, so  
I am left wondering.
The domUs remained absolutely unchanged, just the cfgs were changed  
in such a way to match with dom0's kernel
My Setup:

dom0    = 84.xx.xxx.17
guest1  = 84.xx.xxx.231
guest2  = 84.xx.xxx.232

my hoster's gateway = 84.xx.xxx.1
my homemachine = 85.124.x.xxx

dom0 cannot ping guest1 or guest2
	the ICMP packets from dom0 reach guest1 and are answered, but the  
replies do not reach dom0 (see below)
guest1 can ping guest2
guest1 and guest2 cannot ping the gateway
	the packets ICMP-Packets do reach the gateway though, and the  
answers are visible when doing a tcpdump on xenbr0, but they do not  
reach the guests.
dom0 can ping the gateway
guest1 and guest2 receive traffic but cannot answer (e.g. when I try  
to ssh from my home machine)
Now the obscurities:
guest2 has apache running, a telnet from dom0 to guest on port 80  
delivers a page!
a telnet from my home machine to guest2 on port 80 does not deliver a  
page, but I can see it happening on guest2 with tcpdump
dom0 runs bind, guest1 and guest2 can resolve names with this!


Thank you very very much in advance for any hints, I've spent the  
entire day yesterday to find a solution without any success...
Alexander



dom0:~# cat /etc/xen/xend-config.sxp | grep -v "#" | grep [a-z]
(xend-relocation-server yes)
(xend-relocation-hosts-allow '^localhost$')
(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)


dom0:/etc/xen# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                        peth0
                                                        vif7.0
                                                        vif10.0

dom0:/etc/xen# iptables -L -vv -n
[..snip..]
Chain FORWARD (policy DROP 353 packets, 22270 bytes)
pkts bytes target     prot opt in     out     source                
destination
217K   24M ACCEPT     0    --  xenbr0 xenbr0  0.0.0.0/0             
0.0.0.0/0
    0     0 ACCEPT     0    --  *      *       84.xx.xxx.231         
0.0.0.0/0           PHYSDEV match --physdev-in vif7.0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0             
0.0.0.0/0           PHYSDEV match --physdev-in vif7.0 udp spt:68 dpt:67
    0     0 ACCEPT     0    --  *      *       84.xx.xxx.232         
0.0.0.0/0           PHYSDEV match --physdev-in vif10.0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0             
0.0.0.0/0           PHYSDEV match --physdev-in vif10.0 udp spt:68 dpt:67
[..snip..]

guest1:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref     
Use Iface
84.xx.xxx.0     0.0.0.0         255.255.255.0   U     0      0         
0 eth0
0.0.0.0         84.xx.xxx.1     0.0.0.0         UG    0      0         
0 eth0
guest1:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


guest1:~# ping -c 10 84.xx.xxx.1 &
PING 84.xx.xxx.1 (84.xx.xxx.1) 56(84) bytes of data.

--- 84.xx.xxx.1 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9013ms

(meanwhile)

dom0:/etc/xen# tcpdump -vv -n -i xenbr0 | grep -i 84.xx.xxx.231
12:54:54.336514 arp who-has 84.xx.xxx.1 tell 84.xx.xxx.231
12:54:54.337108 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.1: ICMP echo  
request, id 28421, seq 1, length 64
12:54:54.338329 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.1 > 84.xx.xxx.231: ICMP echo  
reply, id 28421, seq 1, length 64
12:54:54.338384 IP (tos 0xc0, ttl  64, id 61484, offset 0, flags  
[none], proto: ICMP (1), length: 112) 84.xx.xxx.17 > 84.xx.xxx.1:  
ICMP redirect 84.xx.xxx.231 to host 84.xx.xxx.231, length 92
        IP (tos 0x0, ttl 254, id 0, offset 0, flags [DF], proto:  
ICMP (1), length: 84) 84.xx.xxx.1 > 84.xx.xxx.231: ICMP echo reply,  
id 28421, seq 1, length 64
12:54:55.343801 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.1: ICMP echo  
request, id 28421, seq 2, length 64
12:54:55.344968 IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.1 > 84.xx.xxx.231: ICMP echo  
reply, id 28421, seq 2, length 64
12:54:55.344994 IP (tos 0xc0, ttl  64, id 61485, offset 0, flags  
[none], proto: ICMP (1), length: 112) 84.xx.xxx.17 > 84.xx.xxx.1:  
ICMP redirect 84.xx.xxx.231 to host 84.xx.xxx.231, length 92
guest1:~# tcpdump -vv -n -c 1000 | grep -i 84.xx.xxx.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size  
96 bytes
11:54:55.477085 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.1: ICMP echo  
request, id 28421, seq 2, length 64
11:54:56.476941 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.1: ICMP echo  
request, id 28421, seq 3, length 64
11:54:57.476786 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.1: ICMP echo  
request, id 28421, seq 4, length 64
dom0:~# ping -c 3 84.xx.xxx.231
PING 84.xx.xxx.231 (84.xx.xxx.231) 56(84) bytes of data.

--- 84.xx.xxx.231 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms


guest1:~# tcpdump -vv -n -c 1000 | grep -i 84.xx.xxx.17
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size  
96 bytes
11:58:56.822276 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.17 > 84.xx.xxx.231: ICMP echo  
request, id 47386, seq 9, length 64
11:58:56.822292 IP (tos 0x0, ttl  64, id 41958, offset 0, flags  
[none], proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.17:  
ICMP echo reply, id 47386, seq 9, length 64
11:58:57.822119 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],  
proto: ICMP (1), length: 84) 84.xx.xxx.17 > 84.xx.xxx.231: ICMP echo  
request, id 47386, seq 10, length 64
11:58:57.822135 IP (tos 0x0, ttl  64, id 41959, offset 0, flags  
[none], proto: ICMP (1), length: 84) 84.xx.xxx.231 > 84.xx.xxx.17:  
ICMP echo reply, id 47386, seq 10, length 64
guest2:~# ping -c 3 84.xx.xxx.231
PING 84.xx.xxx.231 (84.xx.xxx.231) 56(84) bytes of data.
64 bytes from 84.xx.xxx.231: icmp_seq=1 ttl=64 time=1.29 ms
64 bytes from 84.xx.xxx.231: icmp_seq=2 ttl=64 time=0.140 ms
64 bytes from 84.xx.xxx.231: icmp_seq=3 ttl=64 time=0.130 ms

--- 84.xx.xxx.231 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.130/0.521/1.294/0.546 ms


homemachine:~# ssh 84.xx.xxx.232 -p 12345

guest2:~# tcpdump -vv -n -c 1000 | grep -i 12345
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size  
96 bytes
13:13:44.677233 IP (tos 0x0, ttl  56, id 14722, offset 0, flags [DF],  
proto: TCP (6), length: 64) 85.124.x.xxx.49841 > 84.xx.xxxx. 
232.12345: S, cksum 0x3502 (correct), 4035834129:4035834129(0) win  
65535 <mss 1440,nop,wscale 0,nop,nop,timestamp 1539971965 0,sackOK,eol>



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users