[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] [PATCH] Network Checksum Removal



Hello

It seems this patch breaks something in netfilter.

My setup is classical bridge (no veth0/vif0.0) plus some stateful
firewalling on Dom0

With tx offload off and firewall on, pings from Dom0 to DomU works, ssh
from Dom0 to DomU works.
With tx offload on and firewall off, idem.
With tx offload on and firewall on, ping goes well but ssh not.

Here are the iptables rules :

iptables -P INPUT DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i xen-br0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -P OUTPUT ACCEPT


Here is a capture of vif1.0 :

IP DOM0.2486 > DOM1.22: S
IP DOM1.22 > DOM0.2486: S
IP DOM0.2486 > DOM1.22: . ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
IP DOM1.22 > DOM0.2486: P 1:23(22) ack 1
...

The response from the original SYN goes through the third rule, but the
ACKs don't.

I added a rule to log packets with invalid state and the ACKs got
logged.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.