Xen project Mailing List

[Xen-users] iptables and state matches (established, related)

From: "Andrey Oreshnikov" <elride@xxxxxxxxx>

Date: Tue, 10 Apr 2007 14:44:53 +0400

Delivery-date: Tue, 10 Apr 2007 03:43:51 -0700

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=PKdjTVV6qcC0sn4vebssXyIEonTBT47qcvZ7P9HZsxTkcy+Le74MqNzbnU9MBZ2FAjwCh752AOZloUaMoo5RweyN2WrlyRoJuLbWXYjt/vz8M6RFAivfW6plQMuuwj8XbGAgwfw4l/DjVwyZxWE2n/JNOg/Ck2Ksi/WI7tczkaI=

List-id: Xen user discussion <xen-users.lists.xensource.com>

I use xen-3.0.4_1 ( linux-2.6.16.33 ) and have some promblem with it and iptables. I installed both from source and from rpms for Suse. The problem is in both. The iptables state match don't work in INPUT and OUTPUT chains but work in FORWARD chain. For example rule iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT don't match any packets in established connection. Necessarily modules are loaded # lsmod | grep conntrack ip_conntrack_ftp 12144 1 ip_nat_ftp ip_conntrack 58584 3 ip_nat_ftp,ip_nat,ip_conntrack_ftp nfnetlink 10520 2 ip_nat,ip_conntrack # cat /proc/net/ip_conntrack tcp 6 186909 ESTABLISHED src=192.168.0.170 dst=192.168.0.124 sport=29664 dport=22 packets=1 bytes=52 [UNREPLIED] src=192.168.0.124 dst=192.168.0.170 sport=22 dport=29664 packets=0 bytes=0 mark=0 use=1 This rule work fine: IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT In xen-3.0.2 from sles distribution this problem is absent. any suggestion? _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.