[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-bugs] [Bug 82] New: ip_conntrack not working in dom0 xen2 Fedora Core 4

http://bugzilla.xensource.com/cgi-bin/bugzilla/show_bug.cgi?id=82

           Summary: ip_conntrack not working in dom0 xen2 Fedora Core 4
           Product: Xen
           Version: 2.0
          Platform: x86
        OS/Version: Linux-2.6
            Status: NEW
          Severity: major
          Priority: P2
         Component: Hypervisor
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: jonny@xxxxxxxxxxx


Problem:-
New install of fedora core 4 with xen kernel running. Iptables rules that under
the regular kernel work fine stop working when in bridge mode under xen in dom0.
This stops the conntrack system working on the xen host machine and i can't then
log in via ssh.
It seems that the conntrack system is failing to match already accepted
connections. The initial packet seems to get accepted by the INPUT rule, then
the reply packet slips past the ESTABLISHED,RELATED rule and gets logged then
dropped by the default policy.

This is the packet that gets logged:-
xen kernel: OUTPUT IN= OUT=xen-br0 PHYSOUT=eth0 SRC=192.168.0.45
DST=192.168.0.39 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
DPT=1152 WINDOW=5840 RES=0x00 ACK SYN URGP=0

This happens whether i start a guest os up or not.
This was reproduced on another machine at work with a Fedora Core 4 install.

xen host machine address:192.168.0.45
ssh client address:192.168.0.39

rules:-
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        LOG flags 0 level 4 prefix `FORWARD '

Chain INPUT (policy DROP 54 packets, 7483 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  304 21532 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
    1    48 ACCEPT     tcp  --  *      *       192.168.0.39         192.168.0.45
      tcp spts:1024:65535 dpt:22 state NEW
   54  7483 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        LOG flags 0 level 4 prefix `INPUT '

Chain OUTPUT (policy DROP 8 packets, 384 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       192.168.0.45         192.168.0.19
      udp spts:1024:65535 dpt:53
    0     0 ACCEPT     tcp  --  *      *       192.168.0.45         0.0.0.0/0  
        tcp spts:1024:65535 dpt:80
    0     0 ACCEPT     icmp --  *      *       192.168.0.45         0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        LOG flags 0 level 4 prefix `OUTPUT '

interfaces:-
eth0      Link encap:Ethernet  HWaddr 00:08:74:EE:50:ED
          inet addr:192.168.0.45  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4406 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1992235 (1.8 MiB)  TX bytes:631910 (617.0 KiB)
          Base address:0xecc0 Memory:ff8e0000-ff900000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

xen-br0   Link encap:Ethernet  HWaddr 00:08:74:EE:50:ED
          inet addr:192.168.0.45  Bcast:192.168.0.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24682 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4451 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1538495 (1.4 MiB)  TX bytes:618890 (604.3 KiB)

routes:-
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 xen-br0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 xen-br0
0.0.0.0         192.168.0.250   0.0.0.0         UG    0      0        0 xen-br0

operating system:-
Fedora Core 4

kernel version:-
2.6.11-1.1369_FC4xen0

iptables version:-
iptables v1.3.0

xen version:-
xen-2-20050522

network driver:-
e1000

Had everything working under fedora core 3 before with iptables and 5 virtual
machines.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.