WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Networking issue with "conntracking" after upgrade Xen 3.2 >

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
From: Olivier Hanesse <olivier.hanesse@xxxxxxxxx>
Date: Fri, 17 Dec 2010 16:48:44 +0100
Delivery-date: Fri, 17 Dec 2010 07:49:43 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=9rBxMkM/2SYuwCBfZooFVytvLJEcTCteUyFTWEXfQ8M=; b=NWOjzYYNXbIc7/OYsVrjZFQ2qmNWW3eF7uuzhlUTQTBDbs2nsSGUbUeSuAY7cbqpo0 8HI/yxFI9Ox+Eleqw8LEP3Kv11y8lIPE2xwAtXh5WtkUN3FjZ69xFtqg/+ACSCjH0xTF gl/FbdXdS9dTCu0QpFBxxkGtk/g0jm+Qd09s0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=FpXvS4FAD3ZLvimMIjEQoWT4s2oiVRPe2D49m3PA+vcAroJnbApSVKUfdAM6v6On04 d9Ieo5Zk2VA7cZCOBLfttuJsy+x5F6LvpBSOqtFD6yxlvEMYhTeiW/dSHly5l6CixGUz 5iIUqaGV2ffkE+3ivLUI1Oua0Zej8xyLxKGfE=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hi,

I recently upgraded a debian xen 3.2 system to xen 4.
Then I started to see some strange kernel logs : "nf_conntrack: table full, dropping packet."

I was pretty sure not to have enable conntracking in my dom0.
I find out that it was the revision "19540" of the "vif-common.sh" script that load the nf_conntrack module.

So now my dom0 logs every connection my domU are doing. With a few domUs, I am reaching the limit of conntrack table very quickly.
On debian the default "net.netfilter.nf_conntrack_max" is set to "16400".
I set it to "65536" to temporary resolve my network issue but that's not the point.

Is it possible to add an option in the xend-config.sxp configuration files, something like (handle_iptable yes/no), if we want to handle iptable or not ?

Moreover, for example on on debian, FORWARD policy is set to ACCEPT by default. So adding theses rules are useless BUT they are loading some modules which can lead to a network issue :(

Regards

Olivier
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel