Linux Bridging/masquerading Problem

07-06-2005, 05:14 PM

Hi,

I use Xen, which is a Linux virtualisation suite. So I've the host
called ds9, which creates two extra Linux instances router and
enterprise-e running virtually. Router should do Masquerading for the
network. router and enterprise-e create virtual network interfaces
which are bridged at the level of ds9:

ds9:~# brctl show
bridge name bridge id STP enabled interfaces
internal-br 8000.000000006634 no eth0
vif1.0
vif2.0
eth0 is the network card in ds9, vif1.0 is the router network
interface, vif2.0 is enterprise-e netif.

TCP/IP traffic between the domains works absolutely fine. All domains
(enterprise-e, ds9 and machines in the external network eth0 have
"router" as their gateway). ds9 and all PCs on the external network can
access the internet fine.

My Problem is, that enterprise-e is able to ping any computer on the
Internet, but TCP/IP connections are not established. It seems to me
that the 3-way-handshake is not completed. There are no iptables rules
either on router (except MASQ) nor on enterprise-e.

Some tcpdump output (enterprise-e is trying to do "wget
216.239.39.104"):

If the same messages occurs in a row and just the time differs it is
[snipped], tcpdump status message is also snipped.

root@enterprise-e:~ # tcpdump -i eth0 src or dst 216.239.39.104
[snip]
19:07:07.737364 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
S 1077572922:1077572922(0) win 5840 <mss 1460,sackOK,timestamp 120590
0,nop,wscale 2>
19:07:07.877872 IP 216.239.39.104.www > enterprise-e.zuhause.xx.34561:
S 3528413951:3528413951(0) ack 1077572923 win 8190 <mss 1412>
19:07:07.877905 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
.. ack 1 win 5840
19:07:07.878290 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
P 1:102(101) ack 1 win 5840
[Snip]
216.239.39.104.www: FP 1:102(101) ack 1 win 5840

ds9:~# tcpdump -i internal-br src or dst 216.239.39.104
[Snip]
19:07:07.736504 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
S 1077572922:1077572922(0) win 5840 <mss 1460,sackOK,timestamp 120590
0,nop,wscale 2>
19:07:07.877848 IP 216.239.39.104.www > enterprise-e.zuhause.xx.34561:
S 3528413951:3528413951(0) ack 1077572923 win 8190 <mss 1412>
19:07:07.878119 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
.. ack 1 win 5840
19:07:07.878482 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
P 1:102(101) ack 1 win 5840
19:07:10.878130 IP enterprise-e.zuhause.xx.34561 >
[Snip]
19:08:40.878129 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
FP 1:102(101) ack 1 win 5840

router:~# tcpdump -i ppp0 src or dst 216.239.39.104
[snip]
19:07:07.735864 IP p54AE0180.dip0.t-ipconnect.de.34561 >
216.239.39.104.www: S 1077572922:1077572922(0) win 5840 <mss
1412,sackOK,timestamp 120590 0,nop,wscale 2>
19:07:07.877735 IP 216.239.39.104.www >
p54AE0180.dip0.t-ipconnect.de.34561: S 3528413951:3528413951(0) ack
1077572923 win 8190 <mss 1412>
19:07:07.878142 IP p54AE0180.dip0.t-ipconnect.de.34561 >
216.239.39.104.www: . ack 1 win 5840
19:07:07.878976 IP p54AE0180.dip0.t-ipconnect.de.34561 >
216.239.39.104.www: P 1:102(101) ack 1 win 5840
[Snip]
19:07:52.878201 IP p54AE0180.dip0.t-ipconnect.de.34561 >
216.239.39.104.www: FP 1:102(101) ack 1 win 5840
19:08:40.878182 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
FP 1077572923:1077573024(101) ack 3528413952 win 5840
19:10:16.878197 IP enterprise-e.zuhause.xx.34561 > 216.239.39.104.www:
FP 0:101(101) ack 1 win 5840

Thank You,

Sebastian

07-07-2005, 09:29 AM

Sebastian Gutweiler <(E-Mail Removed)> wrote:
> I use Xen, which is a Linux virtualisation suite. So I've the host
> called ds9, which creates two extra Linux instances router and
> enterprise-e running virtually. Router should do Masquerading for the
> network. router and enterprise-e create virtual network interfaces
> which are bridged at the level of ds9:

What kernel are you running?

Masquerading/DNAT is broken in the 2.6.12 series kernels (see the current
thread regarding SNAT/DNAT in this same group).

Chris

07-07-2005, 11:02 AM

Hi,

chris-(E-Mail Removed) wrote:
> What kernel are you running?
>
> Masquerading/DNAT is broken in the 2.6.12 series kernels (see the current
> thread regarding SNAT/DNAT in this same group).
>

well, I'm using 2.6.11.12, but maybe it's also broken in this version?
I'll take a look at wether it is possible for me to downgrade (I need
an up-to-date version of Xen, so this could be a problem)

Thanks,

Sebastian

07-08-2005, 09:18 AM

> Masquerading/DNAT is broken in the 2.6.12 series kernels (see the current
> thread regarding SNAT/DNAT in this same group).

Sebastian Gutweiler <(E-Mail Removed)> wrote:
> well, I'm using 2.6.11.12, but maybe it's also broken in this version?
> I'll take a look at wether it is possible for me to downgrade (I need
> an up-to-date version of Xen, so this could be a problem)

I've found a patch which appears to have resolved the problem, at
http://kerneltrap.org/mailarchive/1/...es_per_page=10

Chris

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Linux IP and VPN masquerading with 2.6.x kernels	js	Linux Networking	1	12-22-2005 01:09 AM
VPN Masquerading problem	bolero92@yahoo.com	Linux Networking	0	12-29-2004 03:06 PM
IPSec (i.e. Freeswan 2.x), Linux kernel 2.6 no longer masquerading (NAT'ing) connections	John T. Ellis	Linux Networking	1	05-25-2004 06:56 AM
Problem regarding Bridging, MTU, Masquerading 802.1q VLANs on SuSE 9.0	Michael Knaus	Linux Networking	0	05-16-2004 07:03 AM
Connecting Wireless Router to a Linux-IP-Masquerading based network	Sergei Fedorov	Linux Networking	0	07-06-2003 08:05 PM