Re: [Xen-users] Problem start iptables - udp broken (Workaround)

To:	"Torsten Lehmann" <tlehmann@xxxxxxxxxxxxx>
Subject:	Re: [Xen-users] Problem start iptables - udp broken (Workaround)
From:	"Abel Martín" <abel.martin.ruiz@xxxxxxxxx>
Date:	Wed, 29 Nov 2006 16:37:01 +0100
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Wed, 29 Nov 2006 07:37:38 -0800
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TrM/y+v6Dq/D3L83QvGNkqsvHWMrssIs3tU9+pv+YPcGXAQieEmXyOPjCTGaziUbpIgKDxPVeHnHb4DLWV269U8QGRBW7aMhudXRxejqecIYU6ZX9Fg1uixAufBlPu7LcSQINRzgygyyJaNWeEfMCGCDx/Nubor0FOG86yi8V0Y=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<Pine.LNX.4.53.0611291601270.13401@xxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<E4D4F968E9F97F45B21B72BDCAD8E1B803C126F4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <915136920611280122l588565b2u5845651f0fac3a5e@xxxxxxxxxxxxxx> <Pine.LNX.4.53.0611290729001.13401@xxxxxxxxxxxxxxxxx> <Pine.LNX.4.53.0611291601270.13401@xxxxxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

11/29/06, Torsten Lehmann <tlehmann@xxxxxxxxxxxxx> wrote:

On Wed, 29 Nov 2006, Torsten Lehmann wrote:

>
> - If one has very much time, then one sees also from time to time
> any packets in both directions....
>
> -> udp-packets not blocked generally.
>
> - Why the knot only solved after that to remove the module ip_conntrack?
>
> - to reproduce this problem is sufficient:
>   # modprobe ip_conntrack
>

- Workaround: remove ip_conntrack from kernel:

# cd xen-3.0-testing/linux-2.6.16-xen0
# find . -name ip_conntrack.ko -exec rm -f {} \; -print
# find /lib/modules/`uname -r` -name ip_conntrack.ko -exec rm -f {} \; -print

l0# diff .config.old .config
...
< CONFIG_IP_NF_CONNTRACK=m
> # CONFIG_IP_NF_CONNTRACK is not set

l0:# make modules modules_install

l0:# /etc/init.d/netfilter start
Applying iptables firewall rules:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
  - "No chain...": rules which need ip_conntrack

- following rule-set was tested:

  $IPTABLES -i $EXTIF -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
   # -> iptables: No chain/target/match by that name
   #    "--state" required ip_conntrack

  $IPTABLES -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j 
domU
  $IPTABLES -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j 
domU
  $IPTABLES -A domU -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL --log-prefix 
"IN testdomU: "
   # -> iptables: No chain/target/match by that name
   #    "-m physdev" required ip_conntrack (??)


Did you create the chain named domU with "iptables -N domU"? The
iptables state module won't work without the conntrack module. Please,
don't disable ip_conntrack and don't just copy and paste the rules I
sent. Adapt them to your needs. In my box there's no peth0, but eth0.
This is because the way networking scripts configure Xen networking
depending on the Xen package one installs.


  $IPTABLES -i peth0 -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG _LEVEL 
--log-prefix "IN testpeth: "
   # -> nomatch...rule not working

  $IPTABLES -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL --log-prefix 
"IN test: "
   # -> match....OK


regards Torsten
Launoc


Regards.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users