[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: [Xen-users] xen, fc4, bridging, iptables and conntrack problem



Hi Paul, I have Fedora Core 4 and I am having exactly the same problem
as you. I will provide some detail below.
Out of two installs this happened both times.
You are right, this is a conntrack failure but I don't know if it's on
the iptables or xen side, although everything works fine until xend
starts-creates the bridge and bingo! conntrack stops working. Bit of a
showstopper really.

Here is some of my info:-
Problem:-
New install of fedora core 4 with xen kernel running. Iptables rules that under
the regular kernel work fine stop working when in bridge mode under xen in dom0.
This stops the conntrack system working on the xen host machine and i can't then
log in via ssh.
It seems that the conntrack system is failing to match already accepted
connections. The initial packet seems to get accepted by the INPUT rule, then
the reply packet slips past the ESTABLISHED,RELATED rule and gets logged then
dropped by the default policy.

This is the packet that gets logged:-
xen kernel: OUTPUT IN= OUT=xen-br0 PHYSOUT=eth0 SRC=192.168.0.45
DST=192.168.0.39 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
DPT=1152 WINDOW=5840 RES=0x00 ACK SYN URGP=0

This happens whether i start a guest os up or not.
This was reproduced on another machine at work with a Fedora Core 4 install.

xen host machine address:192.168.0.45
ssh client address:192.168.0.39

rules:-
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        LOG flags 0 level 4 prefix `FORWARD '

Chain INPUT (policy DROP 54 packets, 7483 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  304 21532 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
    1    48 ACCEPT     tcp  --  *      *       192.168.0.39         192.168.0.45
      tcp spts:1024:65535 dpt:22 state NEW
   54  7483 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        LOG flags 0 level 4 prefix `INPUT '

Chain OUTPUT (policy DROP 8 packets, 384 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       192.168.0.45         192.168.0.19
      udp spts:1024:65535 dpt:53
    0     0 ACCEPT     tcp  --  *      *       192.168.0.45         0.0.0.0/0  
        tcp spts:1024:65535 dpt:80
    0     0 ACCEPT     icmp --  *      *       192.168.0.45         0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        LOG flags 0 level 4 prefix `OUTPUT '

interfaces:-
eth0      Link encap:Ethernet  HWaddr 00:08:43:EE:50:CE
          inet addr:192.168.0.45  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4406 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1992235 (1.8 MiB)  TX bytes:631910 (617.0 KiB)
          Base address:0xecc0 Memory:ff8e0000-ff900000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

xen-br0   Link encap:Ethernet  HWaddr 00:08:43:EE:50:CE
          inet addr:192.168.0.45  Bcast:192.168.0.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24682 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4451 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1538495 (1.4 MiB)  TX bytes:618890 (604.3 KiB)

routes:-
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 xen-br0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 xen-br0
0.0.0.0         192.168.0.250   0.0.0.0         UG    0      0        0 xen-br0

operating system:-
Fedora Core 4

kernel version:-
2.6.11-1.1369_FC4xen0

iptables version:-
iptables v1.3.0

xen version:-
xen-2-20050522

network driver:-
e1000

Had everything working under fedora core 3 before with iptables and 5 virtual
machines conntracking beautifully

There's nothing obvious, all the iptables modules are loaded and work
fine until the bridge goes up. No error messages associated with the
bridge creation either.
Will try to dig further.
Hope somebody has some ideas as I am running out of them!


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.