Hi @all, I''ve got a runnig xen host with "nothing" inside dom0 and some domU 1. domU: firewall and router (external and internal interface) 2. domU: webserver with bind (internal interface) 3. domU: mailserver (internal interface) if I start a query at the domU bind from the inside of the network it works, if I start the same query from the outside of the network then it fails. I''m sure that the firewall allowed this query, I''m using the same iptables rules which worked on the 3 differnt real boxes. Does anybody knows this problem? Thanks a lot Daniel _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tuesday 14 March 2006 09:28, Daniel Bauer wrote:> Hi @all, > > I''ve got a runnig xen host with "nothing" inside dom0 and some domU > > 1. domU: firewall and router (external and internal interface) > 2. domU: webserver with bind (internal interface) > 3. domU: mailserver (internal interface) > > if I start a query at the domU bind from the inside of the network it > works, > if I start the same query from the outside of the network then it fails. > I''m sure that the firewall allowed this query, I''m using the same > iptables rules which worked on the 3 differnt real boxes. > > Does anybody knows this problem?I had problems with bind in domU until I arranged for the following to be executed in the domU when interface ''eth0'' was brought up: ethtool -K eth0 tx off Before I applied that change, tcpdump showed that UDP packets from the domU had invalid checksums. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Mar 14 ''06 at 18:28, Daniel Bauer wrote:> if I start a query at the domU bind from the inside of the network it > works, if I start the same query from the outside of the network then > it fails.ethtool -K eth0 tx off on all interfaces DomU and Dom0. For the firewall eth1, too. -- Goetz Bock (c) 2006 as blacknet.de - Munich - Germany /"\ IT Consultant Creative Commons secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
From: "Tom Eastep" <teastep@shorewall.net>> On Tuesday 14 March 2006 09:28, Daniel Bauer wrote: >> I''ve got a runnig xen host with "nothing" inside dom0 and some domU >> >> 1. domU: firewall and router (external and internal interface) >> 2. domU: webserver with bind (internal interface) >> 3. domU: mailserver (internal interface) >> >> if I start a query at the domU bind from the inside of the network it >> works, >> if I start the same query from the outside of the network then it >> fails. >> I''m sure that the firewall allowed this query, I''m using the same >> iptables rules which worked on the 3 differnt real boxes. >> >> Does anybody knows this problem? > > I had problems with bind in domU until I arranged for the following to > be > executed in the domU when interface ''eth0'' was brought up: > > ethtool -K eth0 tx off > > Before I applied that change, tcpdump showed that UDP packets from the > domU > had invalid checksums.Great this solved my problem, lot of thanks Daniel _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
From: "Goetz Bock" <bock@blacknet.de>> On Tue, Mar 14 ''06 at 18:28, Daniel Bauer wrote: >> if I start a query at the domU bind from the inside of the network it >> works, if I start the same query from the outside of the network then >> it fails. > > ethtool -K eth0 tx off > > on all interfaces DomU and Dom0. For the firewall eth1, too.Thanks a lot, this works great, but only in the domU not in the dom0. Bye Daniel _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I had this exactly problem with mine bind, only that the circumstance was a little different. He only gave error in bind, in the second consecutive query to second IP alias... ... ... The question is: Disconnect checksum of the UDP, we will not be weakening the security in the traffic of the packages? What it could cause using this command (ethtool -K eth0 tx off)? -- Leonardo Pinto listas#openlogic dot com br On Tue, 14 Mar 2006 20:03:28 +0100, Daniel Bauer wrote> From: "Tom Eastep" <teastep@shorewall.net> > > On Tuesday 14 March 2006 09:28, Daniel Bauer wrote: > >> I''ve got a runnig xen host with "nothing" inside dom0 and some domU > >> > >> 1. domU: firewall and router (external and internal interface) > >> 2. domU: webserver with bind (internal interface) > >> 3. domU: mailserver (internal interface) > >> > >> if I start a query at the domU bind from the inside of the network it > >> works, > >> if I start the same query from the outside of the network then it > >> fails. > >> I''m sure that the firewall allowed this query, I''m using the same > >> iptables rules which worked on the 3 differnt real boxes. > >> > >> Does anybody knows this problem? > > > > I had problems with bind in domU until I arranged for the following to > > be > > executed in the domU when interface ''eth0'' was brought up: > > > > ethtool -K eth0 tx off > > > > Before I applied that change, tcpdump showed that UDP packets from the > > domU > > had invalid checksums. > > Great this solved my problem, lot of thanks > Daniel_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Mar 14, 2006 at 08:03:52PM +0100, Daniel Bauer wrote:> From: "Goetz Bock" <bock@blacknet.de> > >On Tue, Mar 14 ''06 at 18:28, Daniel Bauer wrote: > >>if I start a query at the domU bind from the inside of the network it > >>works, if I start the same query from the outside of the network then > >>it fails. > > > >ethtool -K eth0 tx off > > > >on all interfaces DomU and Dom0. For the firewall eth1, too. > > Thanks a lot, this works great, but only in the domU not in the dom0. >Is this "tx off" really needed also in dom0? btw. what nics and what xen+kernel version are you using when you have these problems? -- Pasi _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
From: "Pasi Kärkkäinen" <pasik@iki.fi>> On Tue, Mar 14, 2006 at 08:03:52PM +0100, Daniel Bauer wrote: >> From: "Goetz Bock" <bock@blacknet.de> >> >On Tue, Mar 14 ''06 at 18:28, Daniel Bauer wrote: >> >>if I start a query at the domU bind from the inside of the network >> >>it >> >>works, if I start the same query from the outside of the network >> >>then >> >>it fails. >> > >> >ethtool -K eth0 tx off >> > >> >on all interfaces DomU and Dom0. For the firewall eth1, too. >> >> Thanks a lot, this works great, but only in the domU not in the dom0. >> > > Is this "tx off" really needed also in dom0?In dom0 I get the error message "Cannot set device tx csum settings: Operation not supported". I couldn''t use all features in my network (f.e. Tunnel device in the firewall for VPN), but that''s not important for me, because I don''t use dom0 for working.> btw. what nics and what xen+kernel version are you using when > you have these problems?I''m using a standard SuSE 10.0 (kernel-xen-2.6.13-15.8) with XEN3 Build 8800 installation. The nics are intel devices, maybe I have to give this command without running domU, but I don''t wont to stop them. Daniel _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, 2006-03-15 at 12:37 +0200, Pasi Kärkkäinen wrote:> > >ethtool -K eth0 tx off > > >on all interfaces DomU and Dom0. For the firewall eth1, too.> Is this "tx off" really needed also in dom0?You need tx off on all *xen virtual ethernet interfaces*, no matter if it''s in a dom0 or domU. You probably should not run it on your dom0''s physical network interfaces. If you are using xen''s standard network-bridge script, dom0''s "eth0" interface is a xen virtual ethernet interface (eth0 gets renamed to peth0, and veth0 gets renamed to eth0), so you need to run it on eth0 AFTER xend starts up, or veth0 before xend starts. The simpler solution to this in dom0 is to apply the patch to the /etc/xen/scripts/network-bridge script: *** network-bridge.orig 2006-03-15 07:47:07.635631509 -0500 --- network-bridge 2006-03-15 07:49:38.255631509 -0500 *************** *** 247,252 **** --- 247,254 ---- ip link set ${pdev} up add_to_bridge2 ${bridge} ${pdev} do_ifup ${netdev} + # disable ip checksum offloading for veth devices + test -x /usr/sbin/ethtool && /usr/sbin/ethtool -K ${netdev} tx off else # old style without ${vdev} transfer_addrs ${netdev} ${bridge} Note 1: RHEL and CentOS change "/usr/sbin/ethtool" to "/sbin/ethtool" Note 2: You still have to run ethtool inside all the domUs. For Debian or Ubuntu domUs, the easy way is to edit the file /etc/network/interfaces and after each "iface ethX" line, add the command: iface eth0 inet dhcp pre-up /usr/sbin/ethtool -K eth0 tx up For RHEL 4 or CentOS 4.2 domUs, just create a new executable shell script named "/sbin/ifup-pre-local" that contains: #!/bin/sh DEVICE="`expr $1 : ''ifcfg-\(.*\)$''`" /sbin/ethtool -K $DEVICE tx off The RHEL network startup scripts run that script if it exists, before it brings up a network interface. I don''t have any SuSE or Gentoo systems, so I''m not sure what works there. -- Patrick Wolfe (pwolfe@employease.com) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users