|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-bugs] [Bug 82] ip_conntrack not working in dom0 xen2 Fedora Core 4
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=82 spshealy@xxxxxxxxxxxx changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From spshealy@xxxxxxxxxxxx 2005-08-29 22:43 ------- I seem to be having the same problem. I am running unstable from Aug 25 with debian sarge for both dom0 and domU. I have iptables setup on dom0 to firewall for both dom0 and domUs(using the forward chain). I am running on a dell 1850 which has an e1000 in it... I am also seen bug #185..I had this current problem b/4 the introduction of bug 185. My symptoms are that connections seem to be stalling out. Looking futher into my logs I see that establised connection are getting forgotten by the iptables and being blocked by the firewall for both dom0 and domU's. Also empirically it seems that the behahiour only occurs after the box has been up for little while. Below is cut from one of my logs(IP's changed). Whats going on here is that I have and http connection and it can't close the connection. So the http client appears to hang. I have also seen this happen with an establised ssh session usualy when cat'ing a large text file. Once this happens for the ssh session.. game over the connection is no longer useful. I have seen this happend on bost dom0 and domUs... and have also seen with just the plain ACK flag set. I am not an expert iptables guy but I think I have it right...please let me know if I don't.. Maybe this bug should be reopened. Food for thought Aug 29 17:34:31 localhost kernel: PASS-unknown:IN=xen-br0 OUT=xen-br0 PHYSIN=eth0 PHYSOUT=vif2.0 SRC=167.7.9.9 DST=207.235.11.11 LEN=72 TOS=0x00 PREC=0x00 TTL=52 ID=14663 PROTO=TCP SPT=3519 DPT=80 WINDOW=15216 RES=0x00 ACK FIN URGP=0 Aug 29 17:34:33 localhost kernel: PASS-unknown:IN=xen-br0 OUT=xen-br0 PHYSIN=eth0 PHYSOUT=vif2.0 SRC=167.7.9.9 DST=207.235.11.11 LEN=80 TOS=0x00 PREC=0x00 TTL=52 ID=14665 PROTO=TCP SPT=3519 DPT=80 WINDOW=15216 RES=0x00 ACK URGP=0 My firewall config for dom0 doing filtering on the bridge: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere in_i1 all -- anywhere anywhere in_i2 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-unknown:' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination in_r1 all -- anywhere anywhere PHYSDEV match --physdev-in eth0 --physdev-out vif+ out_r1 all -- anywhere anywhere PHYSDEV match --physdev-in vif+ --physdev-out eth0 ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `PASS-unknown:' DROP all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere out_i1 all -- anywhere anywhere out_i2 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-unknown:' DROP all -- anywhere anywhere Chain in_i1 (1 references) target prot opt source destination in_i1_ssh_s1 all -- anywhere anywhere in_i1_ping_s2 all -- anywhere anywhere in_i1_all_c3 all -- anywhere anywhere in_i1_irc_c4 all -- anywhere anywhere in_i1_ftp_c5 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-i1:' DROP all -- anywhere anywhere Chain in_i1_all_c3 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED Chain in_i1_ftp_c5 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:4999 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:4999 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:4999 state ESTABLISHED Chain in_i1_irc_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:4999 state ESTABLISHED Chain in_i1_ping_s2 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED icmp echo-request Chain in_i1_ssh_s1 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,ESTABLISHED Chain in_i2 (1 references) target prot opt source destination in_i2_ssh_s1 all -- anywhere anywhere in_i2_ping_s2 all -- anywhere anywhere in_i2_all_c3 all -- anywhere anywhere in_i2_irc_c4 all -- anywhere anywhere in_i2_ftp_c5 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IN-i2:' DROP all -- anywhere anywhere Chain in_i2_all_c3 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED Chain in_i2_ftp_c5 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:4999 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:4999 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:4999 state ESTABLISHED Chain in_i2_irc_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:4999 state ESTABLISHED Chain in_i2_ping_s2 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED icmp echo-request Chain in_i2_ssh_s1 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,ESTABLISHED Chain in_r1 (1 references) target prot opt source destination in_r1_ssh_s1 all -- anywhere anywhere in_r1_http_s2 all -- anywhere anywhere in_r1_ping_s3 all -- anywhere anywhere in_r1_smtp_s4 all -- anywhere anywhere in_r1_all_c5 all -- anywhere anywhere in_r1_irc_c6 all -- anywhere anywhere in_r1_ftp_c7 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED Chain in_r1_all_c5 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED Chain in_r1_ftp_c7 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED Chain in_r1_http_s2 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW,ESTABLISHED Chain in_r1_irc_c6 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:1024:65535 state ESTABLISHED Chain in_r1_ping_s3 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED icmp echo-request Chain in_r1_smtp_s4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere m12.graysail.com tcp spts:1024:65535 dpt:smtp state NEW,ESTABLISHED Chain in_r1_ssh_s1 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW,ESTABLISHED Chain out_i1 (1 references) target prot opt source destination out_i1_ssh_s1 all -- anywhere anywhere out_i1_ping_s2 all -- anywhere anywhere out_i1_all_c3 all -- anywhere anywhere out_i1_irc_c4 all -- anywhere anywhere out_i1_ftp_c5 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-i1:' DROP all -- anywhere anywhere Chain out_i1_all_c3 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED Chain out_i1_ftp_c5 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpts:1024:65535 state RELATED,ESTABLISHED Chain out_i1_irc_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ircd state NEW,ESTABLISHED Chain out_i1_ping_s2 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state ESTABLISHED icmp echo-reply Chain out_i1_ssh_s1 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:1024:65535 state ESTABLISHED Chain out_i2 (1 references) target prot opt source destination out_i2_ssh_s1 all -- anywhere anywhere out_i2_ping_s2 all -- anywhere anywhere out_i2_all_c3 all -- anywhere anywhere out_i2_irc_c4 all -- anywhere anywhere out_i2_ftp_c5 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `OUT-i2:' DROP all -- anywhere anywhere Chain out_i2_all_c3 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED Chain out_i2_ftp_c5 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpts:1024:65535 state RELATED,ESTABLISHED Chain out_i2_irc_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:4999 dpt:ircd state NEW,ESTABLISHED Chain out_i2_ping_s2 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state ESTABLISHED icmp echo-reply Chain out_i2_ssh_s1 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:1024:65535 state ESTABLISHED Chain out_r1 (1 references) target prot opt source destination out_r1_ssh_s1 all -- anywhere anywhere out_r1_http_s2 all -- anywhere anywhere out_r1_ping_s3 all -- anywhere anywhere out_r1_smtp_s4 all -- anywhere anywhere out_r1_all_c5 all -- anywhere anywhere out_r1_irc_c6 all -- anywhere anywhere out_r1_ftp_c7 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED Chain out_r1_all_c5 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED Chain out_r1_ftp_c7 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED Chain out_r1_http_s2 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 state ESTABLISHED Chain out_r1_irc_c6 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ircd state NEW,ESTABLISHED Chain out_r1_ping_s3 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state ESTABLISHED icmp echo-reply Chain out_r1_smtp_s4 (1 references) target prot opt source destination ACCEPT tcp -- m12.graysail.com anywhere tcp spt:smtp dpts:1024:65535 state ESTABLISHED Chain out_r1_ssh_s1 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:1024:65535 state ESTABLISHED Output of ifconfig eth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:219817 errors:0 dropped:0 overruns:0 frame:0 TX packets:189417 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:38944429 (37.1 MiB) TX bytes:104933903 (100.0 MiB) Base address:0xdcc0 Memory:dfae0000-dfb00000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) veth0 Link encap:Ethernet HWaddr 00:14:22:0F:3B:53 inet addr:207.235.9.9 Bcast:207.235.9.112 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:63364 errors:0 dropped:0 overruns:0 frame:0 TX packets:28120 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5947899 (5.6 MiB) TX bytes:5540885 (5.2 MiB) vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28120 errors:0 dropped:0 overruns:0 frame:0 TX packets:63364 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5540885 (5.2 MiB) TX bytes:5947899 (5.6 MiB) vif2.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:143400 errors:0 dropped:0 overruns:0 frame:0 TX packets:155990 errors:0 dropped:23 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:90660971 (86.4 MiB) TX bytes:19900098 (18.9 MiB) xen-br0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:39667 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2467175 (2.3 MiB) TX bytes:0 (0.0 b) -- Configure bugmail: http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. _______________________________________________ Xen-bugs mailing list Xen-bugs@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-bugs
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |