[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] netfilter, conntrack, ip_nat_ftp problem

On Donnerstag 31 Mai 2007, Vladislav Kurz wrote:
> On Wednesday 30 May 2007 08:34, Alexander Wilms wrote:
> > Hi Vladislav,
> >
> > this all sounds familiar to me. Both problems seem to be related to the
> > TCP/UDP Checksum problem. If you would look with wireshark into your
> > packets you would see a lot of wrong checksums. And this explains both:
> > Because of this the FTP nat helper doesn't rewrite the re-transmitted
> > packets anymore and also confuses the rest of the connection tracking.
> >
> >
> > Solution is quite simple. Switch of tx checksumming of your nic(s). E.g.
> > "ethtool -K eth0 tx off"
> > You have to find out which of your nics need it. In my setup I had to
> > switch it off in dom0 and domU on all physical nics.
> >
> > HTH,
> > Alex
>
> Thanks a lot Alex,
>
> I switched off checksum offloading on domU and FTP NAT helper started to
> work. I still get some INVALID packets with FIN & RST flag set, and some
> bad tcp checksum in dom0 - domU traffic, so I will monitor it and perhaps
> switch off checksum on the real eth0 and xen-br0 (or the vifX) in dom0.
>
> Anyway I think this must have affected quite a lot of xen users. TCP
> checksum offloading must break any statefull firewall in dom0, or do I miss
> something? Why there is no note about this in docs? Or is our configuration
> so unusual? (dom0 as a firewall in front of domU guests)
>
> Thanks
>       Vladislav Kurz


Hi Vladislav,

no,  not so unusual. So also I don't understand why not more people reporting 
this issue on the xen lists. (There was only one thread that I remember that 
was related to that issue. It was like: Everything works, but DNS resolution 
fails. This was also related to offloading features of the nic.)

But in shorewall list we discussed it and also in a xen book I read it was 
topic. So the best hint so far you can find is maybe in the shorewall 
documentation written by Tom Eastep. 
http://www.shorewall.net/XenMyWay.html

Btw. my way of xen is a bit different. I'm running my firewall in a domU (with 
PCI passthrough'ed nics) and (of course) have still same effects.

HTH,
Alex



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.