From: Eric Dumazet <eric.dumazet@gmail.com>
To: Chris Clayton <chris2553@googlemail.com>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org, gpiez@web.de
Subject: Re: Possible networking regression in 3.6.0
Date: Mon, 01 Oct 2012 18:37:16 +0200 [thread overview]
Message-ID: <1349109436.12401.712.camel@edumazet-glaptop> (raw)
In-Reply-To: <5069C27A.3090706@googlemail.com>
On Mon, 2012-10-01 at 17:19 +0100, Chris Clayton wrote:
>
> On 10/01/12 16:31, Eric Dumazet wrote:
> > On Mon, 2012-10-01 at 16:13 +0100, Chris Clayton wrote:
> >>
> >> On 10/01/12 10:15, Eric Dumazet wrote:
> >>> On Mon, 2012-10-01 at 09:36 +0100, Chris Clayton wrote:
> >>>>
> >>>
> >>>> 0 ICMP messages received
> >>>> 0 input ICMP message failed.
> >>>> ICMP input histogram:
> >>>> 0 ICMP messages sent
> >>>> 0 ICMP messages failed
> >>>> ICMP output histogram:
> >>>
> >>>>
> >>>> After:
> >>>>
> >>>> $ netstat -s
> >>>> Icmp:
> >>>> 4 ICMP messages received
> >>>> 4 input ICMP message failed.
> >>>> ICMP input histogram:
> >>>> echo replies: 4
> >>>
> >>> So icmp replies come back and are delivered to host instead of being
> >>> forwarded.
> >>>
> >>> I wonder if MASQUERADE broke...
> >>>
> >>> Could you send
> >>>
> >>> iptables -t -nat -nvL
> >>
> >> $ iptables -t -nat -nvL
> >> iptables v1.4.15: can't initialize iptables table `-nat': Table does not
> >> exist (do you need to insmod?)
> >> Perhaps iptables or your kernel needs to be upgraded.
> >>
> >>> conntrack -L # while ping is running from guest
> >>
> >> $ conntrack -L
> >> conntrack v1.2.2 (conntrack-tools): Operation failed: invalid parameters
> >>
> >
> > Thats not expected, you described you used MASQUERADE target, so
> > "iptables -t nat -nvL" should display something.
> >
>
> To check this I've booted a 3.5.4 kernel. I get the same response to the
> two commands. I also double checked that, with a 3.5.4 kernel, pinging
> the router and browsing the internet from the client work and they do.
>
> Except for the packets and bytes columns, the command iptables -nvL
> gives the following output under both 3.5.4 and 3.6.0 kernels:
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 3757 3240K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 14 840 ACCEPT all -- * * 127.0.0.1 127.0.0.1
> 41 4362 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
> 90 12780 ACCEPT all -- * * 192.168.200.0/24 0.0.0.0/0
> 0 0 ACCEPT all -- * * 192.168.201.0/24 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 4470 packets, 3065K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 3243 packets, 349K bytes)
> pkts bytes target prot opt in out source destination
> 64 8344 ACCEPT all -- * * 0.0.0.0/0 192.168.200.0/24
> 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.201.0/24
I am lost, since n your first mail you said :
-----------------------------------------------------------------------------
# Load the connection-sharing for qemu/kvm guests
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
...
# allow traffic to and from the qemu/kvm virtual networks
NETS="200 201"
for net in $NETS; do
iptables -A INPUT -s 192.168.$net.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.$net.0/24 -j ACCEPT
done
...
The network-related modules that are loaded are:
$ lsmod
Module Size Used by
tun 12412 0
xt_state 891 1
iptable_filter 852 1
ipt_MASQUERADE 1222 1
iptable_nat 3087 1
nf_nat 10901 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 4942 4 nf_nat,iptable_nat
nf_defrag_ipv4 815 1 nf_conntrack_ipv4
nf_conntrack 37644 5
ipt_MASQUERADE,nf_nat,xt_state,iptable_nat,nf_conntrack_ipv4
...
r8169 47159 0
-----------------------------------------------
Now you say you dont have nat ?
Something is wrong.
next prev parent reply other threads:[~2012-10-01 16:37 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-17 15:44 Possible networking regression in 3.6.0 Chris Clayton
2012-09-18 14:21 ` Chris Clayton
2012-09-18 14:31 ` Chris Clayton
2012-09-18 14:40 ` Eric Dumazet
2012-09-18 15:51 ` Chris Clayton
2012-09-19 15:26 ` Chris Clayton
2012-09-22 6:26 ` Chris Clayton
2012-09-27 11:50 ` Chris Clayton
2012-09-27 12:14 ` Eric Dumazet
2012-09-27 18:05 ` Chris Clayton
2012-09-27 21:03 ` Eric Dumazet
2012-09-27 21:17 ` Eric Dumazet
2012-09-28 6:53 ` David Miller
2012-09-28 9:14 ` Chris Clayton
2012-09-28 9:22 ` Chris Clayton
2012-09-28 11:26 ` Eric Dumazet
2012-09-28 14:28 ` Chris Clayton
2012-09-30 15:26 ` Chris Clayton
2012-09-30 19:45 ` Eric Dumazet
2012-10-01 8:36 ` Chris Clayton
2012-10-01 9:15 ` Eric Dumazet
2012-10-01 15:13 ` Chris Clayton
2012-10-01 15:31 ` Eric Dumazet
2012-10-01 16:19 ` Chris Clayton
2012-10-01 16:37 ` Eric Dumazet [this message]
2012-10-01 18:28 ` Chris Clayton
2012-10-01 18:34 ` Captain Obvious
2012-10-01 19:21 ` Eric Dumazet
2012-10-01 19:55 ` Chris Clayton
2012-10-01 19:22 ` Chris Clayton
2012-10-01 19:34 ` Dave Jones
2012-10-01 20:01 ` David Miller
2012-10-01 20:04 ` Eric Dumazet
2012-10-02 15:27 ` Edivaldo de Araújo Pereira
2012-10-02 15:35 ` Eric Dumazet
2012-10-02 15:48 ` Eric Dumazet
2012-10-02 15:57 ` Dave Jones
2012-10-02 16:06 ` Eric Dumazet
2012-10-02 18:25 ` David Miller
2012-10-02 21:14 ` Alexander Duyck
2012-10-02 21:35 ` Eric Dumazet
2012-10-02 23:24 ` Julian Anastasov
2012-10-03 3:10 ` David Miller
2012-10-03 15:01 ` Chris Clayton
2012-10-03 20:57 ` Julian Anastasov
2012-10-03 7:28 ` [PATCH] udp: increment UDP_MIB_NOPORTS in mcast receive Eric Dumazet
2012-10-03 12:45 ` David Stevens
2012-10-03 13:15 ` Eric Dumazet
2012-10-03 14:09 ` David Stevens
2012-10-03 15:29 ` Eric Dumazet
2012-10-03 17:31 ` David Stevens
2012-10-03 19:30 ` David Miller
2012-10-03 17:39 ` Rick Jones
2012-10-03 2:55 ` Possible networking regression in 3.6.0 David Miller
2012-10-04 11:25 ` [PATCH] ipv4: add a fib_type to fib_info Eric Dumazet
2012-10-04 13:08 ` Chris Clayton
2012-10-04 13:32 ` Eric Dumazet
2012-10-04 18:14 ` David Miller
2012-09-18 14:44 ` Possible networking regression in 3.6.0 Chris Clayton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1349109436.12401.712.camel@edumazet-glaptop \
--to=eric.dumazet@gmail.com \
--cc=chris2553@googlemail.com \
--cc=davem@davemloft.net \
--cc=gpiez@web.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox