|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel] [PATCH] Network Checksum Removal
Hello It seems this patch breaks something in netfilter. My setup is classical bridge (no veth0/vif0.0) plus some stateful firewalling on Dom0 With tx offload off and firewall on, pings from Dom0 to DomU works, ssh from Dom0 to DomU works. With tx offload on and firewall off, idem. With tx offload on and firewall on, ping goes well but ssh not. Here are the iptables rules : iptables -P INPUT DROP iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i xen-br0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P OUTPUT ACCEPT Here is a capture of vif1.0 : IP DOM0.2486 > DOM1.22: S IP DOM1.22 > DOM0.2486: S IP DOM0.2486 > DOM1.22: . ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1 ... The response from the original SYN goes through the third rule, but the ACKs don't. I added a rule to log packets with invalid state and the ACKs got logged. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |