[Gllug] Xen and iptables problem
Daniel P. Berrange
dan at berrange.com
Fri Jan 5 17:05:00 UTC 2007
On Fri, Jan 05, 2007 at 04:05:57PM +0000, Bruce Richardson wrote:
> On Fri, Jan 05, 2007 at 02:42:59PM +0000, - wrote:
> >
> > Actually, I forgot to mention in the original post that this is purely
> > in Dom0. At the moment, all I want is to be able to do DNS lookups
> > from Dom0 (as a first step to getting "yum update" to work). If I can
> > get that much working, then the rest should fall into place. I can get
> > incoming traffic to Dom0 working (e.g., ssh), but all outbound TCP
> > traffic has the SYN/ACK reply blocked by iptables, for reasons that I
> > just can't understand.
>
> I did read somewhere that you can see problems with corrupted checksums
> on ip packets in some circimstances and that this can be fixed by
> turning off TX pause. Be sure to do that for eth0 and not peth0.
>
> My personal policy is never to configure an interface for dom0 on any
> nic or bridge that is being used by the domU domains, so I don't need
> the eth/peth bollocks that the xen networking scripts set up;
Urm, you do realize the netloop module (which is where peth0/eth0 duplicity
comes from) isn't just there for fun/complexity. It is critical to preventing
a DomU DOS attack on Dom0. Because of the way the netfront/netback drivers
work, the sk_buf associated with packets travelling from DomU to Dom0 doesn't
actually get copied - there's merely page protection bit-flipping. The upshot
is that packets from DomU will cause pages to be pinned in memory in Dom0.
By adding in the netloop driver, the packets destined for Dom0 get immediately
copied, so the memory is only pinned for a small & finite time. Without the
peth0/eth0 pairing & netloop, DomU can cause memory in Dom0 to be pinned
indefinitely. So I definitely would not remove the eth/peth pair of NICs in
any production host
Regards,
Dan.
--
|=- GPG key: http://www.berrange.com/~dan/gpgkey.txt -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- berrange at redhat.com - Daniel Berrange - dan at berrange.com -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20070105/499a63fd/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list