[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] xen, fc4, bridging, iptables and conntrack problem

Hi,
I'm testing out Xen on FC4. I'm using bridging for networking, as well as iptables to firewall, configured with the standard Fedora 'system-config-security-level' tool. However I have really strange problem with conntrack not seeming to catch outbound connections. This prevents outbound connections working from dom0. Connections from domU's however /do/ work. 

The problem appears to boil down to the following:

Chain INPUT (policy ACCEPT 210K packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination
 111K 8778K RH-Firewall-1-INPUT  all  --  xen-br+ any     anywhere             
anywhere
    0     0 RH-Firewall-1-INPUT  all  --  vif+   any     anywhere             
anywhere
    1    73 RH-Firewall-1-INPUT  all  --  eth0   any     anywhere             
anywhere

Chain FORWARD (policy ACCEPT 2812K packets, 311M bytes)
 pkts bytes target     prot opt in     out     source               destination
<empty>

Chain RH-Firewall-1-INPUT (3 references)
 pkts bytes target     prot opt in     out     source               destination
   33  2485 ACCEPT     all  --  lo     any     anywhere             anywhere
  253 16338 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp any
    0     0 ACCEPT     ipv6-crypt--  any    any     anywhere   anywhere
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere    anywhere
68483 6004K ACCEPT     all  --  any    any     anywhere             anywhere    
        state RELATED,ESTABLISHED
<snip remaining standard RH-Firewall rules to allow in certain ports>
The FORWARD chain is empty and policy ACCEPT, which maybe explains why domU's work.
The INPUT side of stuff though seems to not work because the RELATED,ESTABLISHED conntrack rule doesn't match. And this would appear to be because the original /outgoing/ packets are never caught by connection track and entered into its state.
If I tcpdump xen-br0, I can see packets leave, and I can even see the remote SYN|ACK come in, which is very strange (and not inline with my only hypothesis so far, a conntrack problem): 

# tcpdump -i xen-br0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xen-br0, link-type EN10MB (Ethernet), capture size 96 bytes
18:48:54.138909 IP domain0.38261 > remote.smtp: S 710403207:710403207(0) win 5840 <mss 1460,sackOK,timestamp 181127121 0,nop,wscale 2> 18:48:54.271062 IP remote.smtp > domain0.38261: S 746149051:746149051(0) ack 710403208 win 5792 <mss 1460,sackOK,timestamp 1332954470 181127121,nop,wscale 0> 18:48:57.138797 IP domain0.38261 > remote.smtp: S 710403207:710403207(0) win 5840 <mss 1460,sackOK,timestamp 181127421 0,nop,wscale 2> 18:48:57.270302 IP remote.smtp > domain0.38261: S 749148214:749148214(0) ack 710403208 win 5792 <mss 1460,sackOK,timestamp 1332954770 181127421,nop,wscale 0> 

Has anyone seen this problem before?
Is it specific to bridging (but it affects local packets though), to Xen somehow, to FC4? 

regards,
--
Paul Jakma      paul@xxxxxxxx   paul@xxxxxxxxx  Key ID: 64A2FF6A
Fortune:
That's always the way when you discover something new; everyone thinks
you're crazy.
                -- Evelyn E. Smith

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.