[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] netfilter, conntrack, ip_nat_ftp problem

Hello all,

I have a problem with netfilter and connection tracking on Xen.

My config is:
xen-3.0.3
linux-2.6.18
Debian Etch AMD64
2x Xeon with Hyper-Threading enabled

Network configuration in dom0 is like this:

eth0, eth0:1, eth0:2,... (public IPs)
xenbr0 (private IPs)=vif1.x, vif2.x, vif3.x,...
I am not using netloop (vif0.x and veth0).

I DNAT selected IPs/ports from public interface to different domU hosts (one 
is webserver, other is mailserver, jabber server, FTP server, etc). 
Connections from domU to internet a SNATed to one of public IPs.

One problem is that ip_nat_ftp does not work. When someone connects with 
passive FTP, and tries to open data connection, it connects to private 
address. It seems like ip_nat_ftp is not working at all. (Active ftp is OK).

I have used Xen 2.0.4 with kernel 2.6.10 (i386) and ip_nat_ftp worked fine.


Another problem I noticed is that connection tracking marks a lot of packets 
as INVALID. (iptables -A INPUT -m state --state INVALID -j DROP) These 
packets are often part of ESTABLISHED connections to servers in domU, and 
somehow they are not DNATed and intead of getting into FORWARD chain, they 
end up in INPUT. So instead of routing them to proper domU, they hit dom0.

I looks like the same problem I had on xen 2.0.4 with kernel 2.6.10 which 
involved tcp window tracking and I got rid of it by setting sysctl variables:
net/ipv4/netfilter/ip_conntrack_tcp_be_liberal=1
net/ipv4/netfilter/ip_conntrack_log_invalid=1

But in xen 3.0.3 with kernel 2.6.18 it does nothing. No logging, and still a 
lot of INVALID packets.

I spent whole day googling, and found only some loosely related problems and 
no solution proposed for others worked for me. Does anyone know what can be 
wrong with netfilter / conntrack?

Moreover I found some vague note about possible deadlock if I use bridging 
without netloop. Can someone shed more light on this?

Thanks for all help
Regards
        Vladislav Kurz

P.S. Thanks to xen developers for the good work.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.