Hello, I have a little problem. I can see all the guest (domU) connections in dom0''s /proc/net/ip_conntrack. As you can imagine the conntrack table starts to get filled when lots of connections are made on domU machines. Is there a way to stop this behavior? My config is: OS: Centos 5.3 XEN: xen-3.3.1-0 manually compiled from gitco''s SRPMS Kernel: 2.6.18-128.4.1.el5xen on bot dom0 and domU I have had exactly the same problem before, but it disappeared after I manually compiled kernel 2.6.18 with xen patches. However I need an more up to date kernel now and want to use xen kernel from centos. I need help if someone know how can I prevent this from happening. Thank you Regards, Deian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Aug-25 02:59 UTC
Re: [Xen-users] dom0 can see connections from domU-s
On Tue, Aug 25, 2009 at 5:48 AM, Deyan Chepishev<dchepishev@gmail.com> wrote:> Hello, > > I have a little problem. > > I can see all the guest (domU) connections in dom0''s /proc/net/ip_conntrack. > As you can imagine the conntrack table starts to get filled when lots of > connections are made on domU machines. Is there a way to stop this behavior?What is the value of /proc/sys/net/bridge/bridge-nf-call-iptables ? -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thiago Camargo Martins Cordeiro
2009-Aug-25 03:01 UTC
Re: [Xen-users] dom0 can see connections from domU-s
Hi! Who know who can fix this in Linux? Linus!? I do the most weird solution for this annoying problem: iptables -t nat -F rmmod nf_conntrack_ipv4 nf_conntrack ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 iptable_nat # to make sure: rmmod nf_conntrack_ipv4 nf_conntrack ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 iptable_nat I have this problem at my Linux border gateway, it can not even have the NAT module loaded, even if with no NAT rules, the Kernel drops a lot of packages on a busy network, saying that the NAT conntrack table is full... I hate it! :-P The BSDs systems suffer from this evil behavior too? I never sent a mail to Linus before but, this can be a good time to do so. I say this because I believe that Linux should not drop network packets only by loading some module. ...or simply we do not know how to adjust it! I confess that today this is the only issue that I have with Linux. Cheers! Thiago 2009/8/24 Deyan Chepishev <dchepishev@gmail.com>> Hello, > > I have a little problem. > > I can see all the guest (domU) connections in dom0''s > /proc/net/ip_conntrack. As you can imagine the conntrack table starts to get > filled when lots of connections are made on domU machines. Is there a way to > stop this behavior? > > My config is: > OS: Centos 5.3 > XEN: xen-3.3.1-0 manually compiled from gitco''s SRPMS > Kernel: 2.6.18-128.4.1.el5xen on bot dom0 and domU > > I have had exactly the same problem before, but it disappeared after I > manually compiled kernel 2.6.18 with xen patches. However I need an more up > to date kernel now and want to use xen kernel from centos. > > I need help if someone know how can I prevent this from happening. > > Thank you > > Regards, > Deian > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Aug-25 03:13 UTC
Re: [Xen-users] dom0 can see connections from domU-s
On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins Cordeiro<thiagocmartinsc@gmail.com> wrote:> I have this problem at my Linux border gateway, it can not even have the > NAT module loaded, even if with no NAT rules, the Kernel drops a lot of > packages on a busy network, saying that the NAT conntrack table is full... I > hate it! :-PIs it a dom0? Or is it simply a Linux router, in which case this is not directly Xen-related?> > The BSDs systems suffer from this evil behavior too? > > I never sent a mail to Linus before but, this can be a good time to do so. > > I say this because I believe that Linux should not drop network packets > only by loading some module. > > ...or simply we do not know how to adjust it!What''s the value of /proc/sys/net/ipv4/ip_conntrack_max ? It''s 65536 by default on RHEL, and should be adjustable using something like echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max If you''re feeling brave, you can adjust some timeouts (/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead connections dropped sooner, thus reducing overall connection count. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thiago Camargo Martins Cordeiro
2009-Aug-25 03:26 UTC
Re: [Xen-users] dom0 can see connections from domU-s
2009/8/25 Fajar A. Nugraha <fajar@fajar.net>> On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins > Cordeiro<thiagocmartinsc@gmail.com> wrote: > > I have this problem at my Linux border gateway, it can not even have the > > NAT module loaded, even if with no NAT rules, the Kernel drops a lot of > > packages on a busy network, saying that the NAT conntrack table is > full... I > > hate it! :-P > > Is it a dom0? Or is it simply a Linux router, in which case this is > not directly Xen-related? >It is a PV domU Linux router... on a dom0 with others routers/firewalls domUs... But even with bare Linux, I see the same behavior...> > > > > The BSDs systems suffer from this evil behavior too? > > > > I never sent a mail to Linus before but, this can be a good time to do > so. > > > > I say this because I believe that Linux should not drop network packets > > only by loading some module. > > > > ...or simply we do not know how to adjust it! > > What''s the value of /proc/sys/net/ipv4/ip_conntrack_max ? > It''s 65536 by default on RHEL, and should be adjustable using something > like > echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max > > If you''re feeling brave, you can adjust some timeouts > (/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead > connections dropped sooner, thus reducing overall connection count. >Sound''s pretty easy!! I''ll try it...> > -- > Fajar- Thiago _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Deyan Chepishev
2009-Aug-25 05:40 UTC
Re: [Xen-users] dom0 can see connections from domU-s
Fajar A. Nugraha wrote:> On Tue, Aug 25, 2009 at 5:48 AM, Deyan Chepishev<dchepishev@gmail.com> wrote: > >> Hello, >> >> I have a little problem. >> >> I can see all the guest (domU) connections in dom0''s /proc/net/ip_conntrack. >> As you can imagine the conntrack table starts to get filled when lots of >> connections are made on domU machines. Is there a way to stop this behavior? >> > > What is the value of /proc/sys/net/bridge/bridge-nf-call-iptables ? >The value is: cat /proc/sys/net/bridge/bridge-nf-call-iptables 1 It looks like changing it ot 0 fixes my problems. The number of rows is going down. Thank you _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users