xen-users
Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem
Hi Vladislav,
this all sounds familiar to me. Both problems seem to be related to the
TCP/UDP Checksum problem. If you would look with wireshark into your packets
you would see a lot of wrong checksums. And this explains both: Because of
this the FTP nat helper doesn't rewrite the re-transmitted packets anymore
and also confuses the rest of the connection tracking.
Solution is quite simple. Switch of tx checksumming of your nic(s). E.g.
"ethtool -K eth0 tx off"
You have to find out which of your nics need it. In my setup I had to switch
it off in dom0 and domU on all physical nics.
HTH,
Alex
On Montag 28 Mai 2007, Vladislav Kurz wrote:
> Hello all,
>
> I have a problem with netfilter and connection tracking on Xen.
>
> My config is:
> xen-3.0.3
> linux-2.6.18
> Debian Etch AMD64
> 2x Xeon with Hyper-Threading enabled
>
> Network configuration in dom0 is like this:
>
> eth0, eth0:1, eth0:2,... (public IPs)
> xenbr0 (private IPs)=vif1.x, vif2.x, vif3.x,...
> I am not using netloop (vif0.x and veth0).
>
> I DNAT selected IPs/ports from public interface to different domU hosts
> (one is webserver, other is mailserver, jabber server, FTP server, etc).
> Connections from domU to internet a SNATed to one of public IPs.
>
> One problem is that ip_nat_ftp does not work. When someone connects with
> passive FTP, and tries to open data connection, it connects to private
> address. It seems like ip_nat_ftp is not working at all. (Active ftp is
> OK).
>
> I have used Xen 2.0.4 with kernel 2.6.10 (i386) and ip_nat_ftp worked fine.
>
>
> Another problem I noticed is that connection tracking marks a lot of
> packets as INVALID. (iptables -A INPUT -m state --state INVALID -j DROP)
> These packets are often part of ESTABLISHED connections to servers in domU,
> and somehow they are not DNATed and intead of getting into FORWARD chain,
> they end up in INPUT. So instead of routing them to proper domU, they hit
> dom0.
>
> I looks like the same problem I had on xen 2.0.4 with kernel 2.6.10 which
> involved tcp window tracking and I got rid of it by setting sysctl
> variables: net/ipv4/netfilter/ip_conntrack_tcp_be_liberal=1
> net/ipv4/netfilter/ip_conntrack_log_invalid=1
>
> But in xen 3.0.3 with kernel 2.6.18 it does nothing. No logging, and still
> a lot of INVALID packets.
>
> I spent whole day googling, and found only some loosely related problems
> and no solution proposed for others worked for me. Does anyone know what
> can be wrong with netfilter / conntrack?
>
> Moreover I found some vague note about possible deadlock if I use bridging
> without netloop. Can someone shed more light on this?
>
> Thanks for all help
> Regards
> Vladislav Kurz
>
> P.S. Thanks to xen developers for the good work.
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
--
========================================
::: NEUE ANSCHRIFT AB 01. JUNI 2007 :::
::: Güterstr. 20 | D-42117 Wuppertal :::
========================================
--
Mit freundlichen Grüssen
Alexander Wilms
\\\______________________________________________________
...prosem
...Dipl.-Ing. Christian Boss
...Vohwinkeler Str.101 ...D-42329 Wuppertal
...fon: +49.202.737939_77 ...fax: +49.202.737939_80
...mailto:a.wilms@xxxxxxxxxx ...http://www.prosem.net
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|