Xen project Mailing List

[Xen-bugs] [Bug 495] New: Port-forwarding in Dom0 causes corrupt TCP checksums in DomU

From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx

Date: Fri, 27 Jan 2006 18:53:10 +0000

Delivery-date: Fri, 27 Jan 2006 19:09:28 +0000

List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=495 Summary: Port-forwarding in Dom0 causes corrupt TCP checksums in DomU Product: Xen Version: 3.0.0 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Unspecified AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx ReportedBy: klai@xxxxxx I encountered a very odd problem which I eventually found a workaround for, but I wanted to make sure the developers are aware of it. The basic idea is that I created a NAT-ed domU using the standard scripts and kernels from the 2.6.12.6-xen3_7.1_fc4 RPM. I can make outgoing connections from DomU and it is otherwise fine. I then forwarded an external port to the domU: iptables -t nat -A PREROUTING -p tcp --dst 15.4.89.26 --dport 11014 \ -j DNAT --to 10.202.107.174:22 15.4.89.26 and 11014 are the external IP address and external port, respectively and 10.202.107.174 and 22 are the internal IP address and port, respectively. I then did > ssh -p 11014 15.4.89.26 from another machine. This hung. Upon closer inspection, I saw that DomU was sending some of its TCP packets with a corrupt TCP checksum (?!): [root@klai-tycoon ~]# tcpdump -i eth0 -nvvvvv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:34:34.202033 IP (tos 0x10, ttl 63, id 1746, offset 0, flags [DF], proto 6, length: 60) 15.4.89.35.47694 > 10.202.107.174.ssh: S [tcp sum ok] 845312449:845312449(0) win 5840 <mss 1460,sackOK,timestamp 257914643 0,nop,wscale 2> 17:34:34.225891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 60) 10.202.107.174.ssh > 15.4.89.35.47694: S [tcp sum ok] 3227641594:3227641594(0) ack 845312450 win 5792 <mss 1460,sackOK,timestamp 4294947271 257914643,nop,wscale 2> 17:34:34.202227 IP (tos 0x10, ttl 63, id 1748, offset 0, flags [DF], proto 6, length: 52) 15.4.89.35.47694 > 10.202.107.174.ssh: . [tcp sum ok] 1:1(0) ack 1 win 1460 <nop,nop,timestamp 257914643 4294947271> 17:34:34.236769 IP (tos 0x0, ttl 64, id 22332, offset 0, flags [DF], proto 6, length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9 (->9f8f)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947275 257914643> 17:34:34.446430 IP (tos 0x0, ttl 64, id 22334, offset 0, flags [DF], proto 6, length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9 (->9f7a)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947296 257914643> 17:34:34.866394 IP (tos 0x0, ttl 64, id 22336, offset 0, flags [DF], proto 6, length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9 (->9f50)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947338 257914643> 17:34:35.706410 IP (tos 0x0, ttl 64, id 22338, offset 0, flags [DF], proto 6, length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9 (->9efc)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947422 257914643> This only happens for traffic forwarded through Dom0. I have no idea why this happens. After much debugging, I found that executing > iptables -t nat --list on DomU fixes this problem. In particular, having the iptable_nat kernel module loaded in DomU causes the correct checksums to be used. -- Configure bugmail: http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. _______________________________________________ Xen-bugs mailing list Xen-bugs@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-bugs

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.