[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Problem start iptables - udp broken (Workaround)

To: Abel Martín <abel.martin.ruiz@xxxxxxxxx>
From: Torsten Lehmann <tlehmann@xxxxxxxxxxxxx>
Date: Wed, 29 Nov 2006 16:15:20 +0100 (CET)
Cc: xen-users@xxxxxxxxxxxxxxxxxxx, PAINCHAUD Christophe <cpainchaud@xxxxxxxxxxx>
Delivery-date: Thu, 30 Nov 2006 05:20:17 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Wed, 29 Nov 2006, Torsten Lehmann wrote:

>
> - If one has very much time, then one sees also from time to time
> any packets in both directions....
>
> -> udp-packets not blocked generally.
>
> - Why the knot only solved after that to remove the module ip_conntrack?
>
> - to reproduce this problem is sufficient:
>   # modprobe ip_conntrack
>

- Workaround: remove ip_conntrack from kernel:

# cd xen-3.0-testing/linux-2.6.16-xen0
# find . -name ip_conntrack.ko -exec rm -f {} \; -print
# find /lib/modules/`uname -r` -name ip_conntrack.ko -exec rm -f {} \; -print

l0# diff .config.old .config
...
< CONFIG_IP_NF_CONNTRACK=m
> # CONFIG_IP_NF_CONNTRACK is not set

l0:# make modules modules_install

l0:# /etc/init.d/netfilter start
Applying iptables firewall rules:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
  - "No chain...": rules which need ip_conntrack

- following rule-set was tested:

  $IPTABLES -i $EXTIF -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
   # -> iptables: No chain/target/match by that name
   #    "--state" required ip_conntrack

  $IPTABLES -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j 
domU
  $IPTABLES -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j 
domU
  $IPTABLES -A domU -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL 
--log-prefix "IN testdomU: "
   # -> iptables: No chain/target/match by that name
   #    "-m physdev" required ip_conntrack (??)

  $IPTABLES -i peth0 -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG 
_LEVEL --log-prefix "IN testpeth: "
   # -> nomatch...rule not working

  $IPTABLES -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL 
--log-prefix "IN test: "
   # -> match....OK


regards Torsten
Launoc


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Problem start iptables - udp broken (Workaround)
  - From: Abel Martín

References:
- RE: [Xen-users] Problem start iptables - udp broken
  - From: PAINCHAUD Christophe
- Re: [Xen-users] Problem start iptables - udp broken
  - From: Abel Martín
- Re: [Xen-users] Problem start iptables - udp broken
  - From: Torsten Lehmann

Prev by Date: [Xen-users] can connect *from* Windows, can't connect *to* Windows
Next by Date: Re: [Xen-users] Time/clock issues with Xen 3.0.3?
Previous by thread: Re: [Xen-users] Problem start iptables - udp broken
Next by thread: Re: [Xen-users] Problem start iptables - udp broken (Workaround)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.