re: [Xen-users] xen, fc4, bridging, iptables and conntrack problem

[Paul Jakma <paul@xxxxxxxxx>]

Hi,

On Sat, 25 Jun 2005, Jon Howse wrote:

> Hi Paul,
> I have Fedora Core 4 and I am having exactly the same problem as 
> you.
Aha, so it's not just me. Time to raise a bug with fedora.

> I will provide some detail below. Out of two installs this happened 
> both times. You are right, this is a conntrack failure
Seems to be.

> but I don't know if it's on the iptables or xen side, although 
> everything works fine until xend starts-creates the bridge and 
> bingo! conntrack stops working.
Yep.

> Bit of a showstopper really.
Definitely.

> machine and i can't then log in via ssh. It seems that the 
> conntrack system is failing to match already accepted connections.
See above. For me, all dom0 initiated connections fail to appear in 
conntrack state (but strangely the remote replies still get seen by 
tcpdump on xen-br0). domU's work fine though, as FORWARD is 
unrestricted.
> The initial packet seems to get accepted by the INPUT rule, then 
> the reply packet slips past the ESTABLISHED,RELATED rule and gets 
> logged then dropped by the default policy.
Ah.

> This happens whether i start a guest os up or not. This was 
> reproduced on another machine at work with a Fedora Core 4 install.
> There's nothing obvious, all the iptables modules are loaded and 
> work fine until the bridge goes up. No error messages associated 
> with the bridge creation either. Will try to dig further.
I created a bug for Fedora. See 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161792 and 
please add your comments to it.
regards,
--
Paul Jakma      paul@xxxxxxxx   paul@xxxxxxxxx  Key ID: 64A2FF6A
Fortune:
Ask not what's inside your head, but what your head's inside of.
                -- J.J. Gibson

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users