Re: [Xen-users] dom0 can see connections from domU-s

To:	"Fajar A. Nugraha" <fajar@xxxxxxxxx>
Subject:	Re: [Xen-users] dom0 can see connections from domU-s
From:	Deyan Chepishev <dchepishev@xxxxxxxxx>
Date:	Tue, 25 Aug 2009 08:40:14 +0300
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Mon, 24 Aug 2009 22:41:33 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=cEvXzc56QO/PDdCnqsieUW7FgKaQCsUsCBqwWW1cZwQ=; b=w7PKRohGAZfHoMZi6FQOKE0Eb/+oHxLrjhNVS/Nz1zQhIiCSyTy5RCpTBPxB05UwSl MzyXbGKgRd5tDOImt08Fy8a8klPzfsbHK4i+AE9+PLCVqvsbIK1A2C8BNRG4YlnL4BAr 24Hm52mrHbYZZhc9eole7KQPxYVC0yVKSYGWo=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=MeNXwa/TDAmdmCCusZ22+Tf4yU8aMRaQRWIrZcNpPsby+wgUjsmDZTsngfQBOg1B4e Edc8BDFZ4pFEs5E39ct0OIUPB5BCHaBVMR8udS+SNF9AvRFxvOkZiIvAT0VfoK3jqr9b Udix+NrQdk0GNU2nJXrfgDUJ3PTozZDLpDYeE=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<7207d96f0908241959y505066b3iee994491898f6028@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<4A9318D3.9010106@xxxxxxxxx> <7207d96f0908241959y505066b3iee994491898f6028@xxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090710 Fedora/1.1.17-1.fc11 SeaMonkey/1.1.17

Fajar A. Nugraha wrote:

On Tue, Aug 25, 2009 at 5:48 AM, Deyan Chepishev<dchepishev@xxxxxxxxx> wrote:

Hello,

I have a little problem.

I can see all the guest (domU) connections in dom0's /proc/net/ip_conntrack.
As you can imagine the conntrack table starts to get filled when lots of
connections are made on domU machines. Is there a way to stop this behavior?

What is the value of /proc/sys/net/bridge/bridge-nf-call-iptables ?

The value is:
cat /proc/sys/net/bridge/bridge-nf-call-iptables
1

It looks like changing it ot 0 fixes my problems. The number of rows isgoing down.

Thank you


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] dom0 can see connections from domU-s