[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] dom0 can see connections from domU-s

To: Deyan Chepishev <dchepishev@xxxxxxxxx>
From: Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
Date: Tue, 25 Aug 2009 00:01:31 -0300
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 24 Aug 2009 20:02:18 -0700
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=JTex+MqNarDO4Zo6fj3nfaI9VGjg5jcWOjRQ3Kl1tZhfdAjULKowGLZAovm8aY+YGt gxGcoqQakjF82h8XnkM8Es2HCz7mzmJnexz4H5r9ZSoRw9ONttMtMN8GU5NTd19EYmXs XHdL41rLtnW0IeRCBP1020WO99V4YQGhr8YPc=
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi!

Who know who can fix this in Linux? Linus!?

I do the most weird solution for this annoying problem:

iptables -t nat -F
rmmod nf_conntrack_ipv4 nf_conntrack ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 iptable_nat
# to make sure:
rmmod nf_conntrack_ipv4 nf_conntrack ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 iptable_nat

I have this problem at my Linux border gateway, it can not even have the NAT module loaded, even if with no NAT rules, the Kernel drops a lot of packages on a busy network, saying that the NAT conntrack table is full... I hate it! :-P

The BSDs systems suffer from this evil behavior too?

I never sent a mail to Linus before but, this can be a good time to do so.

I say this because I believe that Linux should not drop network packets only by loading some module.

...or simply we do not know how to adjust it!

I confess that today this is the only issue that I have with Linux.

Cheers!
Thiago

2009/8/24 Deyan Chepishev <dchepishev@xxxxxxxxx>

Hello,

I have a little problem.

I can see all the guest (domU) connections in dom0's /proc/net/ip_conntrack. As you can imagine the conntrack table starts to get filled when lots of connections are made on domU machines. Is there a way to stop this behavior?

My config is:
OS: Centos 5.3
XEN: xen-3.3.1-0 manually compiled from gitco's SRPMS
Kernel: 2.6.18-128.4.1.el5xen on bot dom0 and domU

I have had exactly the same problem before, but it disappeared after I manually compiled kernel 2.6.18 with xen patches. However I need an more up to date kernel now and want to use xen kernel from centos.

I need help if someone know how can I prevent this from happening.

Thank you

Regards,
Deian

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] dom0 can see connections from domU-s
  - From: Fajar A. Nugraha

References:
- [Xen-users] dom0 can see connections from domU-s
  - From: Deyan Chepishev

Prev by Date: Re: [Xen-users] dom0 can see connections from domU-s
Next by Date: [Xen-users] Problem while starting xend
Previous by thread: Re: [Xen-users] dom0 can see connections from domU-s
Next by thread: Re: [Xen-users] dom0 can see connections from domU-s
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.