Re: [Xen-users] dom0 can see connections from domU-s

To:	"Fajar A. Nugraha" <fajar@xxxxxxxxx>
Subject:	Re: [Xen-users] dom0 can see connections from domU-s
From:	Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
Date:	Tue, 25 Aug 2009 00:26:01 -0300
Cc:	Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date:	Mon, 24 Aug 2009 20:26:50 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=L2AbmxmLbSGJNglM6pM+nrU2GHBI3xsDlKJHyqeDX/0=; b=yCHku9WBeJoMcEoG8tLiJtuhU2rWAjPNYgeE/6JUmmI3jVxx//8lqDT5LqeodoEVgW 7iMZZrJjGpRTM0hscJNqrocEuGhA63XJvtP9Q9b4erJlOKCjC+fGjyQgTFmeE5rMt0tE IIbt02F1jUI2wUpUoB9Ngsl2jBBOfYmMT9Vs8=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Pv53IzkZ3Z4xJCP6skgCuRFvEin8SaiB6ah0GUc0ZEgn+8h2e9b8WXE1F+8ShZ00C6 7jKpofwjejOGejcG94KoemLd+5yDiCWprtzUqGkinUmn/JK3mEbcdMGIUtv6WQ2kXcfE VStQswbd0gStVZ4peFFTLKXyzU94G0w9mBC1s=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<7207d96f0908242013m1b1cc33cgca0a2982cfb02aa@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<4A9318D3.9010106@xxxxxxxxx> <6b7f6eb0908242001q3e414e59p8facf9f0de5eb5ef@xxxxxxxxxxxxxx> <7207d96f0908242013m1b1cc33cgca0a2982cfb02aa@xxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

2009/8/25 Fajar A. Nugraha <fajar@xxxxxxxxx>

On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins
Cordeiro<thiagocmartinsc@xxxxxxxxx> wrote:
> I have this problem at my Linux border gateway, it can not even have the
> NAT module loaded, even if with no NAT rules, the Kernel drops a lot of
> packages on a busy network, saying that the NAT conntrack table is full... I
> hate it! :-P

Is it a dom0? Or is it simply a Linux router, in which case this is
not directly Xen-related?

It is a PV domU Linux router... on a dom0 with others routers/firewalls domUs...
But even with bare Linux, I see the same behavior...

>
> The BSDs systems suffer from this evil behavior too?
>
> I never sent a mail to Linus before but, this can be a good time to do so.
>
> I say this because I believe that Linux should not drop network packets
> only by loading some module.
>
> ...or simply we do not know how to adjust it!

What's the value of /proc/sys/net/ipv4/ip_conntrack_max ?
It's 65536 by default on RHEL, and should be adjustable using something like
echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max

If you're feeling brave, you can adjust some timeouts
(/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead
connections dropped sooner, thus reducing overall connection count.

Sound's pretty easy!! I'll try it...

--
Fajar

-
Thiago

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-users] dom0 can see connections from domU-s, Deyan Chepishev Re: [Xen-users] dom0 can see connections from domU-s, Fajar A. Nugraha Re: [Xen-users] dom0 can see connections from domU-s, Deyan Chepishev Re: [Xen-users] dom0 can see connections from domU-s, Thiago Camargo Martins Cordeiro Re: [Xen-users] dom0 can see connections from domU-s, Fajar A. Nugraha Re: [Xen-users] dom0 can see connections from domU-s, Thiago Camargo Martins Cordeiro <=

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] dom0 can see connections from domU-s