|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] ip conntrack table full
On Mon, Jan 25, 2010, Fajar A. Nugraha wrote: >On Mon, Jan 25, 2010 at 7:00 AM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: >> Ok, that is a good indicator. I can see things contacting port 443, which >> is what should be on the domU. I'm also seeing lots of established >> connections that aren't showing up in netstat. So it's like the dom0 is >> tracking the domU's iptables, but is not releasing them? > Have you look at each domU's conntrack count (assuming they also have > iptables enabled)? Most likely if you add up all of them it'd match > dom0's count. > If the load is what you expect (i.e. no portscan/attacks), and you > don't use dom0 as firewall (just a router), then perhaps you should > simply just disable iptables on dom0. Another alternative is to > increase max conntrack, or reduce conntrack timeouts on dom0. > -- > Fajar This whole conntrack design strikes me as a serious bug that can lead to DOS attacks, even assuming that the counter is 32 bits. And I'm not comfortable with dom0 "snooping"/recording traffic on domu, isolation wise. (Yeah, I know, anybody can run tcpdump or wireshark on bridged traffic, but this is all being recorded. At least it's not world readable.) _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |