Hi all, I''m running xen on gentoo since few months without problems. I recently installed shorewall (firewall) on domU. This domain has 3 network interfaces. One (eth1) is connected to internet through a cable modem. other are dmz (eth2) and internal network (eth0). I configured shorewall to accept and nat http connections from net zone (internet) to my smtp gateway in DMZ. These kind of connections doesn''t work with xen. I ran ethereal on my laptop which simulated http requests from eth1 subnet and I found that tcp packets (replies) sent by the firewall have checksums errors. Then I checked in bugzilla and found a patch for a similar bug(447). Source code seems to be correct regarding this patch. The linux kernel is : linux 2.6.12.6, xen version 3.0.1, gentoo package : xen-sources-2.6.12.6-r3 (02 Mar 2006) Any ideas ? Thanks Jean-Luc _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Some of us on the devel list have been talking about this very behaviour. The patch that you are referencing works very well (at least for me). If that patch wont apply on its own, it is trivial to edit the file by hand since you are only replacing a single line. Good luck! -- Jason The place where you made your stand never mattered, only that you were there... and still on your feet On Fri, 31 Mar 2006, jean-luc.voisin wrote:> Hi all, > I''m running xen on gentoo since few months without problems. I recently installed shorewall (firewall) on domU. This domain has 3 network interfaces. One (eth1) is connected to internet through a cable modem. other are dmz (eth2) and internal network (eth0). I configured shorewall to accept and nat http connections from net zone (internet) to my smtp gateway in DMZ. These kind of connections doesn''t work with xen. I ran ethereal on my laptop which simulated http requests from eth1 subnet and I found that tcp packets (replies) sent by the firewall have checksums errors. > Then I checked in bugzilla and found a patch for a similar bug(447). Source code seems to be correct regarding this patch. The linux kernel is : linux 2.6.12.6, xen version 3.0.1, gentoo package : xen-sources-2.6.12.6-r3 (02 Mar 2006) > > Any ideas ? > Thanks > Jean-Luc_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thank for your quick answer Jason, First of all, note that I''m not a kernel/xen expert, I just try to make my system working for a proof of concept I googled a lot before sending this email to the xen list. Following your advise, I took a look in /usr/src/linux-2.6.12.6-xen-r3/net/ipv4/netfilter/ and found following files : ip_nat_proto_tcp.c ip_nat_proto_tcp.c.orig ip_nat_proto_udp.c ip_nat_proto_udp.c.orig These files have been downloaded via the "emerge -av xen-sources" gentoo command, I didn''t modify thse files. "diff ip_nat_proto_udp.c.orig ip_nat_proto_udp.c" gives : 116,117c116,123 < if (hdr->check) /* 0 is a special case meaning no checksum */ < hdr->check = ip_nat_cheat_check(~oldip, newip, ---> > if (hdr->check) { /* 0 is a special case meaning no checksum */ > if ((*pskb)->proto_csum_blank) { > hdr->check = ip_nat_cheat_check(oldip, ~newip, > ip_nat_cheat_check(*portptr ^ 0xFFFF, > newport, hdr->check)); > } else { > hdr->check = ip_nat_cheat_check(~oldip, newip,120a127,128> } > }"diff ip_nat_proto_tcp.c.orig ip_nat_proto_tcp.c" gives : 131c131,136 < hdr->check = ip_nat_cheat_check(~oldip, newip, ---> if ((*pskb)->proto_csum_blank) { > hdr->check = ip_nat_cheat_check(oldip, ~newip, > ip_nat_cheat_check(oldport ^ 0xFFFF, > newport, hdr->check)); > } else { > hdr->check = ip_nat_cheat_check(~oldip, newip,134a140> }so I assume that the patch is applied. I recompiled both kernel dom0 and domU, but always some behavior. I also tried the "ethtool -K eth0 tx off" command without success. At this moment, I run out of ideas. Thanks for your help Jean-Luc> Message du 31/03/06 17:44 > De : "Jason" <xen@jasonandjessi.com> > A : "jean-luc.voisin" <jean-luc.voisin@mobistarmail.be> > Copie à : xen-users@lists.xensource.com > Objet : Re: [Xen-users] DNAT TCP checksum error > > Some of us on the devel list have been talking about this very behaviour. The patch that you are > referencing works very well (at least for me). If that patch wont apply on its own, it is trivial > to edit the file by hand since you are only replacing a single line. Good luck! > > -- > Jason > The place where you made your stand never mattered, > only that you were there... and still on your feet > > On Fri, 31 Mar 2006, jean-luc.voisin wrote: > > > Hi all, > > I''m running xen on gentoo since few months without problems. I recently installed shorewall (firewall) on domU. This domain has 3 network interfaces. One (eth1) is connected to internet through a cable modem. other are dmz (eth2) and internal network (eth0). I configured shorewall to accept and nat http connections from net zone (internet) to my smtp gateway in DMZ. These kind of connections doesn''t work with xen. I ran ethereal on my laptop which simulated http requests from eth1 subnet and I found that tcp packets (replies) sent by the firewall have checksums errors. > > Then I checked in bugzilla and found a patch for a similar bug(447). Source code seems to be correct regarding this patch. The linux kernel is : linux 2.6.12.6, xen version 3.0.1, gentoo package : xen-sources-2.6.12.6-r3 (02 Mar 2006) > > > > Any ideas ? > > Thanks > > Jean-Luc > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
oups, mea culpa... the "ethtool -K eth0 tx off" corrects the problem, but how to solve the problem within the kernel ? Jean-Luc> Message du 01/04/06 17:26 > De : "jean-luc.voisin" <jean-luc.voisin@mobistarmail.be> > A : "Jason" <xen@jasonandjessi.com> > Copie à : xen-users@lists.xensource.com > Objet : Re: [Xen-users] DNAT TCP checksum error > > Thank for your quick answer Jason, > > First of all, note that I''m not a kernel/xen expert, I just try to make my system working for a proof of concept > I googled a lot before sending this email to the xen list. > > Following your advise, I took a look in /usr/src/linux-2.6.12.6-xen-r3/net/ipv4/netfilter/ and found following files : > ip_nat_proto_tcp.c > ip_nat_proto_tcp.c.orig > ip_nat_proto_udp.c > ip_nat_proto_udp.c.orig > > These files have been downloaded via the "emerge -av xen-sources" gentoo command, I didn''t modify thse files. > > "diff ip_nat_proto_udp.c.orig ip_nat_proto_udp.c" gives : > 116,117c116,123 > < if (hdr->check) /* 0 is a special case meaning no checksum */ > < hdr->check = ip_nat_cheat_check(~oldip, newip, > --- > > > > if (hdr->check) { /* 0 is a special case meaning no checksum */ > > if ((*pskb)->proto_csum_blank) { > > hdr->check = ip_nat_cheat_check(oldip, ~newip, > > ip_nat_cheat_check(*portptr ^ 0xFFFF, > > newport, hdr->check)); > > } else { > > hdr->check = ip_nat_cheat_check(~oldip, newip, > 120a127,128 > > } > > } > > "diff ip_nat_proto_tcp.c.orig ip_nat_proto_tcp.c" gives : > 131c131,136 > < hdr->check = ip_nat_cheat_check(~oldip, newip, > --- > > if ((*pskb)->proto_csum_blank) { > > hdr->check = ip_nat_cheat_check(oldip, ~newip, > > ip_nat_cheat_check(oldport ^ 0xFFFF, > > newport, hdr->check)); > > } else { > > hdr->check = ip_nat_cheat_check(~oldip, newip, > 134a140 > > } > > so I assume that the patch is applied. I recompiled both kernel dom0 and domU, but always some behavior. > I also tried the "ethtool -K eth0 tx off" command without success. > At this moment, I run out of ideas. > > Thanks for your help > > Jean-Luc > > > Message du 31/03/06 17:44 > > De : "Jason" <xen@jasonandjessi.com> > > A : "jean-luc.voisin" <jean-luc.voisin@mobistarmail.be> > > Copie à : xen-users@lists.xensource.com > > Objet : Re: [Xen-users] DNAT TCP checksum error > > > > Some of us on the devel list have been talking about this very behaviour. The patch that you are > > referencing works very well (at least for me). If that patch wont apply on its own, it is trivial > > to edit the file by hand since you are only replacing a single line. Good luck! > > > > -- > > Jason > > The place where you made your stand never mattered, > > only that you were there... and still on your feet > > > > On Fri, 31 Mar 2006, jean-luc.voisin wrote: > > > > > Hi all, > > > I''m running xen on gentoo since few months without problems. I recently installed shorewall (firewall) on domU. This domain has 3 network interfaces. One (eth1) is connected to internet through a cable modem. other are dmz (eth2) and internal network (eth0). I configured shorewall to accept and nat http connections from net zone (internet) to my smtp gateway in DMZ. These kind of connections doesn''t work with xen. I ran ethereal on my laptop which simulated http requests from eth1 subnet and I found that tcp packets (replies) sent by the firewall have checksums errors. > > > Then I checked in bugzilla and found a patch for a similar bug(447). Source code seems to be correct regarding this patch. The linux kernel is : linux 2.6.12.6, xen version 3.0.1, gentoo package : xen-sources-2.6.12.6-r3 (02 Mar 2006) > > > > > > Any ideas ? > > > Thanks > > > Jean-Luc > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Saturday 01 April 2006 1:15 pm, jean-luc.voisin wrote:> the "ethtool -K eth0 tx off" corrects the problem, but how to solve the > problem within the kernel ?i don''t understand fully why this is sometimes needed. does it makes the driver not to write checksums? or not to rely on hardware checksumming? -- Javier _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Im not an expert on this either, I have just had to deal with it myself very recently. A post went out on the devel list earlier talking about theoretical reasons as to why the tcpchecksum code is disabled for virtual interfaces. I have posed the question back to the devel list asking for a clarification as to why that is done and if it could just be removed since it seems to impact a lot of people (everyone that isn''t bridging as far as I can tell). As for fixing it in the kernel, you can edit the file drivers/xen/netback/interface.c . look for the line dev->features = NETIF_F_NO_CSUM; and replace it with dev->features = 0; /*NETIF_F_NO_CSUM; */ which as I understand it will re-enable checksums at the virtual interface level and worked very well for me. If I hear something back on why this code is set to disable checksums, I will post it to here. -- Jason The place where you made your stand never mattered, only that you were there... and still on your feet On Sat, 1 Apr 2006, Javier Guerra wrote:> On Saturday 01 April 2006 1:15 pm, jean-luc.voisin wrote: >> the "ethtool -K eth0 tx off" corrects the problem, but how to solve the >> problem within the kernel ? > > i don''t understand fully why this is sometimes needed. does it makes the > driver not to write checksums? or not to rely on hardware checksumming? > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi> which as I understand it will re-enable checksums at the > virtual interface level and worked very well for me. If I > hear something back on why this code is set to disable > checksums, I will post it to here.I suspect this is about performance. I see no reason to compute (and check) checksums for packets only used inside the system. These checksums are for detecting physical layer problems in real networks. Regards, Steffen _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users