Re: [Xen-devel] Networking issue with "conntracking" after upgra

To:	Keir Fraser <keir@xxxxxxx>
Subject:	Re: [Xen-devel] Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
From:	Olivier Hanesse <olivier.hanesse@xxxxxxxxx>
Date:	Fri, 17 Dec 2010 17:30:58 +0100
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Fri, 17 Dec 2010 08:32:10 -0800
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=57jlfFG6+hK11znx9hQR8wDpZiayjXJx9b6ZDWOEoSI=; b=qMT1UEq9FQMFhrTpBBBEGaxLxum7DqQUWP5nXtTUV7WGA3h78/xxz/WGCL523zEkoX rKEWk1SDxWqcaWuAGAHBlkgG2OoF/1QB0GZ604Iht6Rs9hnz/NAKaB4TmaQjcfpBYtnD 0Xc3ipCzlgzzZbdi65lSIFIE3Xn2yg3KRUTHk=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=TxpVoTjEDxYIJ/GTO3o1K/Mh088eGmzwAKuoMbXddvcsLY9ygbxVik0tAdDGfZki+G 4/zuqrnF/6vZ4EEcW4WsvLWs0ZK0XeVtuufm7937S6UWCAlvVtf2RwctvDHo8J4ccWLU kMonBWI5prOKe+5L+Y1KklTIkZR3gOXVYjEGM=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<C9313CEA.D2F6%keir@xxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<AANLkTimdyw=9ZGGBYPUCMNC2QeW4Oc3rA0n7Wx+93mkc@xxxxxxxxxxxxxx> <C9313CEA.D2F6%keir@xxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

Thanks Keir.

Fajar : I think this option just disables iptables rules on bridged traffic (prerouting,forward and postrouting chain)
But as soon as the conntrack module is loaded, it starts to "track" network traffic. And this module is loaded as soon as you add 'stated' rules on iptables.

2010/12/17 Keir Fraser <keir@xxxxxxx>

iptables stuff has been there a while, even in Xen 3.2. The difference is a
new rule that requires conntrack to be loaded and used. I think the best
thing is to remove that requirement and be more permissive about what can be
sent to the domU. After all the domU can run its own firewall if it cares.

I have fixed this as xen-unstable:22573 and xen-4.0-testing:21415.

Thanks,
Keir

On 17/12/2010 15:48, "Olivier Hanesse" <olivier.hanesse@xxxxxxxxx> wrote:

> Hi,
>
> I recently upgraded a debian xen 3.2 system to xen 4.
> Then I started to see some strange kernel logs : "nf_conntrack: table full,
> dropping packet."
>
> I was pretty sure not to have enable conntracking in my dom0.
> I find out that it was the revision "19540" of the "vif-common.sh" script that
> load the nf_conntrack module.
>
> So now my dom0 logs every connection my domU are doing. With a few domUs, I am
> reaching the limit of conntrack table very quickly.
> On debian the default "net.netfilter.nf_conntrack_max" is set to "16400".
> I set it to "65536" to temporary resolve my network issue but that's not the
> point.
>
> Is it possible to add an option in the xend-config.sxp configuration files,
> something like (handle_iptable yes/no), if we want to handle iptable or not ?
>
> Moreover, for example on on debian, FORWARD policy is set to ACCEPT by
> default. So adding theses rules are useless BUT they are loading some modules
> which can lead to a network issue :(
>
> Regards
>
> Olivier
>
>

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

Re: [Xen-devel] Networking issue with "conntracking" after upgrade Xen 3