[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] dom0 can see connections from domU-s

  • To: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
  • From: Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
  • Date: Tue, 25 Aug 2009 00:26:01 -0300
  • Cc: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 24 Aug 2009 20:26:50 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Pv53IzkZ3Z4xJCP6skgCuRFvEin8SaiB6ah0GUc0ZEgn+8h2e9b8WXE1F+8ShZ00C6 7jKpofwjejOGejcG94KoemLd+5yDiCWprtzUqGkinUmn/JK3mEbcdMGIUtv6WQ2kXcfE VStQswbd0gStVZ4peFFTLKXyzU94G0w9mBC1s=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

2009/8/25 Fajar A. Nugraha <fajar@xxxxxxxxx>
On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins
Cordeiro<thiagocmartinsc@xxxxxxxxx> wrote:
>  I have this problem at my Linux border gateway, it can not even have the
> NAT module loaded, even if with no NAT rules, the Kernel drops a lot of
> packages on a busy network, saying that the NAT conntrack table is full... I
> hate it!   :-P

Is it a dom0? Or is it simply a Linux router, in which case this is
not directly Xen-related?

It is a PV domU Linux router... on a dom0 with others routers/firewalls domUs...
But even with bare Linux, I see the same behavior...

>  The BSDs systems suffer from this evil behavior too?
>  I never sent a mail to Linus before but, this can be a good time to do so.
>  I say this because I believe that Linux should not drop network packets
> only by loading some module.
>  ...or simply we do not know how to adjust it!

What's the value of /proc/sys/net/ipv4/ip_conntrack_max ?
It's 65536 by default on RHEL, and should be adjustable using something like
echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max

If you're feeling brave, you can adjust some timeouts
(/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead
connections dropped sooner, thus reducing overall connection count.

Sound's pretty easy!! I'll try it...


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.