[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Problem start iptables - udp broken (Workaround)

On Wed, 29 Nov 2006, [ISO-8859-1] Abel Martín wrote:

> 11/29/06, Torsten Lehmann <tlehmann@xxxxxxxxxxxxx> wrote:
> > On Wed, 29 Nov 2006, Torsten Lehmann wrote:
> >
> > >
> > > - If one has very much time, then one sees also from time to time
> > > any packets in both directions....
> > >
> > > -> udp-packets not blocked generally.
> > >
> > > - Why the knot only solved after that to remove the module ip_conntrack?
> > >
> > > - to reproduce this problem is sufficient:
> > >   # modprobe ip_conntrack
> > >
> >
> > - Workaround: remove ip_conntrack from kernel:
> >
> > # cd xen-3.0-testing/linux-2.6.16-xen0
> > # find . -name ip_conntrack.ko -exec rm -f {} \; -print
> > # find /lib/modules/`uname -r` -name ip_conntrack.ko -exec rm -f {} \; 
> > -print
> >
> > l0# diff .config.old .config
> > ...
> > < CONFIG_IP_NF_CONNTRACK=m
> > > # CONFIG_IP_NF_CONNTRACK is not set
> >
> > l0:# make modules modules_install
> >
> > l0:# /etc/init.d/netfilter start
> > Applying iptables firewall rules:
> > iptables: No chain/target/match by that name
> > iptables: No chain/target/match by that name
> > iptables: No chain/target/match by that name
> >   - "No chain...": rules which need ip_conntrack
> >
> > - following rule-set was tested:
> >
> >   $IPTABLES -i $EXTIF -A INPUT   -m state --state ESTABLISHED,RELATED -j 
> > ACCEPT
> >    # -> iptables: No chain/target/match by that name
> >    #    "--state" required ip_conntrack
> >
> >   $IPTABLES -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  
> > -j domU
> >   $IPTABLES -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  
> > -j domU
> >   $IPTABLES -A domU -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL 
> > --log-prefix "IN testdomU: "
> >    # -> iptables: No chain/target/match by that name
> >    #    "-m physdev" required ip_conntrack (??)
>
> Did you create the chain named domU with "iptables -N domU"? The
Yes. I dit it.

> iptables state module won't work without the conntrack module. Please,
> don't disable ip_conntrack and don't just copy and paste the rules I
> sent. Adapt them to your needs. In my box there's no peth0, but eth0.
> This is because the way networking scripts configure Xen networking
> depending on the Xen package one installs.

But, if I load the module "ip_conntrack" only (without set a iptables-rule),
the network (udp) is broken!
<ot>Load a Modules into kernel should never cause trouble.</ot>


regards Torsten
Launoc

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.