* Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
@ 2010-12-17 15:48 Olivier Hanesse
2010-12-17 16:00 ` Fajar A. Nugraha
2010-12-17 16:14 ` Keir Fraser
0 siblings, 2 replies; 5+ messages in thread
From: Olivier Hanesse @ 2010-12-17 15:48 UTC (permalink / raw
To: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 975 bytes --]
Hi,
I recently upgraded a debian xen 3.2 system to xen 4.
Then I started to see some strange kernel logs : "nf_conntrack: table full,
dropping packet."
I was pretty sure not to have enable conntracking in my dom0.
I find out that it was the revision "19540" of the "vif-common.sh" script
that load the nf_conntrack module.
So now my dom0 logs every connection my domU are doing. With a few domUs, I
am reaching the limit of conntrack table very quickly.
On debian the default "net.netfilter.nf_conntrack_max" is set to "16400".
I set it to "65536" to temporary resolve my network issue but that's not the
point.
Is it possible to add an option in the xend-config.sxp configuration files,
something like (handle_iptable yes/no), if we want to handle iptable or not
?
Moreover, for example on on debian, FORWARD policy is set to ACCEPT by
default. So adding theses rules are useless BUT they are loading some
modules which can lead to a network issue :(
Regards
Olivier
[-- Attachment #1.2: Type: text/html, Size: 1106 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
2010-12-17 15:48 Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0 Olivier Hanesse
@ 2010-12-17 16:00 ` Fajar A. Nugraha
2010-12-17 16:14 ` Keir Fraser
1 sibling, 0 replies; 5+ messages in thread
From: Fajar A. Nugraha @ 2010-12-17 16:00 UTC (permalink / raw
To: Olivier Hanesse; +Cc: xen-devel
On Fri, Dec 17, 2010 at 10:48 PM, Olivier Hanesse
<olivier.hanesse@gmail.com> wrote:
> Hi,
>
> I recently upgraded a debian xen 3.2 system to xen 4.
> Then I started to see some strange kernel logs : "nf_conntrack: table full,
> dropping packet."
Are you using bridged networking? If yes, see
http://lists.xensource.com/archives/html/xen-users/2009-08/msg00614.html
--
Fajar
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
2010-12-17 15:48 Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0 Olivier Hanesse
2010-12-17 16:00 ` Fajar A. Nugraha
@ 2010-12-17 16:14 ` Keir Fraser
2010-12-17 16:30 ` Olivier Hanesse
1 sibling, 1 reply; 5+ messages in thread
From: Keir Fraser @ 2010-12-17 16:14 UTC (permalink / raw
To: Olivier Hanesse, xen-devel
iptables stuff has been there a while, even in Xen 3.2. The difference is a
new rule that requires conntrack to be loaded and used. I think the best
thing is to remove that requirement and be more permissive about what can be
sent to the domU. After all the domU can run its own firewall if it cares.
I have fixed this as xen-unstable:22573 and xen-4.0-testing:21415.
Thanks,
Keir
On 17/12/2010 15:48, "Olivier Hanesse" <olivier.hanesse@gmail.com> wrote:
> Hi,
>
> I recently upgraded a debian xen 3.2 system to xen 4.
> Then I started to see some strange kernel logs : "nf_conntrack: table full,
> dropping packet."
>
> I was pretty sure not to have enable conntracking in my dom0.
> I find out that it was the revision "19540" of the "vif-common.sh" script that
> load the nf_conntrack module.
>
> So now my dom0 logs every connection my domU are doing. With a few domUs, I am
> reaching the limit of conntrack table very quickly.
> On debian the default "net.netfilter.nf_conntrack_max" is set to "16400".
> I set it to "65536" to temporary resolve my network issue but that's not the
> point.
>
> Is it possible to add an option in the xend-config.sxp configuration files,
> something like (handle_iptable yes/no), if we want to handle iptable or not ?
>
> Moreover, for example on on debian, FORWARD policy is set to ACCEPT by
> default. So adding theses rules are useless BUT they are loading some modules
> which can lead to a network issue :(
>
> Regards
>
> Olivier
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
2010-12-17 16:14 ` Keir Fraser
@ 2010-12-17 16:30 ` Olivier Hanesse
2010-12-19 23:32 ` Fajar A. Nugraha
0 siblings, 1 reply; 5+ messages in thread
From: Olivier Hanesse @ 2010-12-17 16:30 UTC (permalink / raw
To: Keir Fraser; +Cc: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 2069 bytes --]
Thanks Keir.
Fajar : I think this option just disables iptables rules on bridged traffic
(prerouting,forward and postrouting chain)
But as soon as the conntrack module is loaded, it starts to "track" network
traffic. And this module is loaded as soon as you add 'stated' rules on
iptables.
2010/12/17 Keir Fraser <keir@xen.org>
> iptables stuff has been there a while, even in Xen 3.2. The difference is a
> new rule that requires conntrack to be loaded and used. I think the best
> thing is to remove that requirement and be more permissive about what can
> be
> sent to the domU. After all the domU can run its own firewall if it cares.
>
> I have fixed this as xen-unstable:22573 and xen-4.0-testing:21415.
>
> Thanks,
> Keir
>
> On 17/12/2010 15:48, "Olivier Hanesse" <olivier.hanesse@gmail.com> wrote:
>
> > Hi,
> >
> > I recently upgraded a debian xen 3.2 system to xen 4.
> > Then I started to see some strange kernel logs : "nf_conntrack: table
> full,
> > dropping packet."
> >
> > I was pretty sure not to have enable conntracking in my dom0.
> > I find out that it was the revision "19540" of the "vif-common.sh" script
> that
> > load the nf_conntrack module.
> >
> > So now my dom0 logs every connection my domU are doing. With a few domUs,
> I am
> > reaching the limit of conntrack table very quickly.
> > On debian the default "net.netfilter.nf_conntrack_max" is set to "16400".
> > I set it to "65536" to temporary resolve my network issue but that's not
> the
> > point.
> >
> > Is it possible to add an option in the xend-config.sxp configuration
> files,
> > something like (handle_iptable yes/no), if we want to handle iptable or
> not ?
> >
> > Moreover, for example on on debian, FORWARD policy is set to ACCEPT by
> > default. So adding theses rules are useless BUT they are loading some
> modules
> > which can lead to a network issue :(
> >
> > Regards
> >
> > Olivier
> >
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 2865 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0
2010-12-17 16:30 ` Olivier Hanesse
@ 2010-12-19 23:32 ` Fajar A. Nugraha
0 siblings, 0 replies; 5+ messages in thread
From: Fajar A. Nugraha @ 2010-12-19 23:32 UTC (permalink / raw
To: Olivier Hanesse; +Cc: xen-devel
On Fri, Dec 17, 2010 at 11:30 PM, Olivier Hanesse
<olivier.hanesse@gmail.com> wrote:
> Thanks Keir.
>
> Fajar : I think this option just disables iptables rules on bridged traffic
> (prerouting,forward and postrouting chain)
> But as soon as the conntrack module is loaded, it starts to "track" network
> traffic. And this module is loaded as soon as you add 'stated' rules on
> iptables.
True. But if you're using bridged setup, with the change it only
tracks dom0's traffic, not domU. Since you mentioned you see the
effect when you increase the number of domUs, this could be a quick
fix.
--
Fajar
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-12-19 23:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-17 15:48 Networking issue with "conntracking" after upgrade Xen 3.2 > 4.0 Olivier Hanesse
2010-12-17 16:00 ` Fajar A. Nugraha
2010-12-17 16:14 ` Keir Fraser
2010-12-17 16:30 ` Olivier Hanesse
2010-12-19 23:32 ` Fajar A. Nugraha
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.