http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=495
Summary: Port-forwarding in Dom0 causes corrupt TCP checksums in
DomU
Product: Xen
Version: 3.0.0
Platform: x86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Unspecified
AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
ReportedBy: klai@xxxxxx
I encountered a very odd problem which I eventually found a workaround
for, but I wanted to make sure the developers are aware of it. The
basic idea is that I created a NAT-ed domU using the standard
scripts and kernels from the 2.6.12.6-xen3_7.1_fc4 RPM. I can make
outgoing connections from DomU and it is otherwise fine. I then
forwarded an external port to the domU:
iptables -t nat -A PREROUTING -p tcp --dst 15.4.89.26 --dport 11014 \
-j DNAT --to 10.202.107.174:22
15.4.89.26 and 11014 are the external IP address and external port,
respectively and 10.202.107.174 and 22 are the internal IP address and
port, respectively. I then did
> ssh -p 11014 15.4.89.26
from another machine. This hung. Upon closer inspection, I saw that
DomU was sending some of its TCP packets with a corrupt TCP checksum
(?!):
[root@klai-tycoon ~]# tcpdump -i eth0 -nvvvvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:34:34.202033 IP (tos 0x10, ttl 63, id 1746, offset 0, flags [DF], proto 6,
length: 60) 15.4.89.35.47694 > 10.202.107.174.ssh: S [tcp sum ok]
845312449:845312449(0) win 5840 <mss 1460,sackOK,timestamp 257914643
0,nop,wscale 2>
17:34:34.225891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6,
length: 60) 10.202.107.174.ssh > 15.4.89.35.47694: S [tcp sum ok]
3227641594:3227641594(0) ack 845312450 win 5792 <mss 1460,sackOK,timestamp
4294947271 257914643,nop,wscale 2>
17:34:34.202227 IP (tos 0x10, ttl 63, id 1748, offset 0, flags [DF], proto 6,
length: 52) 15.4.89.35.47694 > 10.202.107.174.ssh: . [tcp sum ok] 1:1(0) ack 1
win 1460 <nop,nop,timestamp 257914643 4294947271>
17:34:34.236769 IP (tos 0x0, ttl 64, id 22332, offset 0, flags [DF], proto 6,
length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9
(->9f8f)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947275 257914643>
17:34:34.446430 IP (tos 0x0, ttl 64, id 22334, offset 0, flags [DF], proto 6,
length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9
(->9f7a)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947296 257914643>
17:34:34.866394 IP (tos 0x0, ttl 64, id 22336, offset 0, flags [DF], proto 6,
length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9
(->9f50)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947338 257914643>
17:34:35.706410 IP (tos 0x0, ttl 64, id 22338, offset 0, flags [DF], proto 6,
length: 72) 10.202.107.174.ssh > 15.4.89.35.47694: P [bad tcp cksum ded9
(->9efc)!] 1:21(20) ack 1 win 1448 <nop,nop,timestamp 4294947422 257914643>
This only happens for traffic forwarded through Dom0. I have no idea
why this happens. After much debugging, I found that executing
> iptables -t nat --list
on DomU fixes this problem. In particular, having the iptable_nat
kernel module loaded in DomU causes the correct checksums to be used.
--
Configure bugmail:
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs
|
Home
xen.org, 