Olivier Le Cam
2006-Dec-04 17:44 UTC
[Xen-users] conntrack not working as soon as network-bridge is renamed?
Hi - Since I have upgraded from xen 3.0.2 to 3.0.3, I cannot get conntrack working on dom0 as soon as network-bridge is not named "xenbr0". Conntrack and everything related to netfiler are build in the kernel (not as module). Netfilter seems to work fine from any domU. In xend-config.sxp I have the following: (network-script ''network-bridge bridge=xenbrE'') (vif-script vif-bridge) (dom0-min-mem 128) (dom0-cpus 0) I have a very basic firewall script setup on dom0: iptables -F iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I have observed that: - ping from dom0 to the rest of the world doesn''t work: the icmp-reply frames are dropped somewhere... - ssh from the rest of the world to the dom0 does not work. But: - if I add an "--icmp-type echo-reply" ACCEPT iptables rule, I can ping to anywhere from the dom0. - if I remove "-m state --state NEW" from the SSH rule, then I can connect to the SSH server of the dom0. - if I donnot rename xenbr0 into xenbrD in xend-config.sxp, then everything is working fine again. I wonder why this setup was OK with Xen 3.0.2 I have used for months before and not anymore with v3.0.3. Any idea? King regards, -- Olivier Le Cam Département des Technologies de l''Information et de la Communication CRDP de l''académie de Versailles _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users