Bug#590661: linux-image-2.6.32-5-openvz-amd64: openswan ipsec packets do not reach openvz instances
Package: linux-2.6
Version: 2.6.32-18
Severity: important
Tags: squeeze
-- Package-specific info:
** Version:
Linux version 2.6.32-5-openvz-amd64 (Debian 2.6.32-18) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-2) ) #1 SMP Sat Jul 24 02:32:56 UTC 2010
** Command line:
BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-openvz-amd64 root=/dev/mapper/osfw--v3--01--vda1-osfw--v3--01--root ro quiet
** Not tainted
** Kernel log:
[ 0.711027] usb usb1: SerialNumber: 0000:00:01.2
[ 0.711064] usb usb1: configuration #1 chosen from 1 choice
[ 0.711084] hub 1-0:1.0: USB hub found
[ 0.711093] hub 1-0:1.0: 2 ports detected
[ 0.712995] FDC 0 is a S82078B
[ 0.719474] libata version 3.00 loaded.
[ 0.721513] ata_piix 0000:00:01.1: version 2.13
[ 0.721578] ata_piix 0000:00:01.1: setting latency timer to 64
[ 0.722690] scsi0 : ata_piix
[ 0.727492] scsi1 : ata_piix
[ 0.727589] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc000 irq 14
[ 0.727593] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc008 irq 15
[ 0.884454] ata2.01: NODEV after polling detection
[ 0.884701] ata2.00: ATAPI: QEMU DVD-ROM, 0.12.4, max UDMA/100
[ 0.885134] ata2.00: configured for MWDMA2
[ 0.885567] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 0.12 PQ: 0 ANSI: 5
[ 0.894999] sr0: scsi3-mmc drive: 4x/4x xa/form2 tray
[ 0.895002] Uniform CD-ROM driver Revision: 3.20
[ 0.895207] sr 1:0:0:0: Attached scsi CD-ROM sr0
[ 0.907747] sr 1:0:0:0: Attached scsi generic sg0 type 5
[ 0.955614] device-mapper: uevent: version 1.0.3
[ 0.956022] device-mapper: ioctl: 4.15.0-ioctl (2009-04-01) initialised: dm-devel@redhat.com
[ 1.034222] EXT3-fs: INFO: recovery required on readonly filesystem.
[ 1.034225] EXT3-fs: write access will be enabled during recovery.
[ 6.200503] kjournald starting. Commit interval 5 seconds
[ 6.200517] EXT3-fs: recovery complete.
[ 6.211297] EXT3-fs: mounted filesystem with ordered data mode.
[ 6.366763] udev: starting version 158
[ 6.632461] input: PC Speaker as /devices/platform/pcspkr/input/input2
[ 6.635775] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input3
[ 6.635779] ACPI: Power Button [PWRF]
[ 6.701913] processor LNXCPU:00: registered as cooling_device0
[ 6.785981] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0xb100, revision 0
[ 6.826793] Error: Driver 'pcspkr' is already registered, aborting...
[ 7.045272] EXT3 FS on dm-0, internal journal
[ 7.105607] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4
[ 7.116925] loop: module loaded
[ 7.346973] Adding 7999480k swap on /dev/mapper/osfw--v3--01--vda1-osfw--v3--01--swap. Priority:-1 extents:1 across:7999480k
[ 7.605167] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
[ 7.605170] All bugs added by David S. Miller <davem@redhat.com>
[ 7.687959] Bridge firewalling registered
[ 8.792227] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[ 8.792927] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
[ 8.792930] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
[ 8.792932] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
[ 8.933138] Netfilter messages via NETLINK v0.30.
[ 8.939723] ctnetlink v0.93: registering with nfnetlink.
[ 9.089892] Ebtables v2.0 registered
[ 9.220739] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 10.058516] warning: `vzctl' uses 32-bit capabilities (legacy support in use)
[ 10.060900] CT: 100: started
[ 10.187317] device veth100.0 entered promiscuous mode
[ 10.187339] br0: port 1(veth100.0) entering learning state
[ 10.317531] CT: 200: started
[ 10.964835] device veth200.0 entered promiscuous mode
[ 10.964856] br1: port 1(veth200.0) entering learning state
[ 12.802630] RULE 2 -- DENY IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=59272 DF PROTO=UDP SPT=37197 DPT=123 LEN=220
[ 14.829759] RULE 2 -- DENY IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=59273 DF PROTO=UDP SPT=37197 DPT=123 LEN=220
[ 16.857702] RULE 2 -- DENY IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=59274 DF PROTO=UDP SPT=37197 DPT=123 LEN=220
[ 17.696018] eth1: no IPv6 routers present
[ 18.052016] eth1.100: no IPv6 routers present
[ 18.188015] br1: no IPv6 routers present
[ 18.324017] br0: no IPv6 routers present
[ 18.576016] eth0: no IPv6 routers present
[ 18.884890] RULE 2 -- DENY IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=59275 DF PROTO=UDP SPT=37197 DPT=123 LEN=220
[ 20.992015] veth100.0: no IPv6 routers present
[ 21.444017] eth0: no IPv6 routers present
[ 21.600017] veth200.0: no IPv6 routers present
[ 22.240016] eth0: no IPv6 routers present
[ 25.184025] br0: port 1(veth100.0) entering forwarding state
[ 25.964017] br1: port 1(veth200.0) entering forwarding state
[ 35.859715] RULE 2 -- DENY IN=eth1.100 OUT=eth0 SRC=213.177.106.242 DST=213.178.168.147 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=8827 DF PROTO=TCP SPT=9756 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
[ 38.777904] RULE 2 -- DENY IN=eth1.100 OUT=eth0 SRC=213.177.106.242 DST=213.178.168.147 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=9010 DF PROTO=TCP SPT=9756 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
[ 47.132914] RULE 2 -- DENY IN=eth1.100 OUT=eth0 SRC=213.109.10.55 DST=213.178.168.145 LEN=64 TOS=0x00 PREC=0x00 TTL=39 ID=12450 DF PROTO=TCP SPT=2255 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
[ 49.978037] RULE 2 -- DENY IN=eth1.100 OUT=eth0 SRC=213.109.10.55 DST=213.178.168.145 LEN=64 TOS=0x00 PREC=0x00 TTL=39 ID=13776 DF PROTO=TCP SPT=2255 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
[ 50.239430] NET: Registered protocol family 15
[ 50.332628] Initializing XFRM netlink socket
[ 50.339168] padlock: VIA PadLock not detected.
[ 50.342375] padlock: VIA PadLock Hash Engine not detected.
[ 50.349261] padlock: VIA PadLock not detected.
[ 50.462203] alg: No test for cipher_null (cipher_null-generic)
[ 50.462247] alg: No test for ecb(cipher_null) (ecb-cipher_null)
[ 50.462286] alg: No test for digest_null (digest_null-generic)
[ 50.462303] alg: No test for compress_null (compress_null-generic)
[ 50.478718] padlock: VIA PadLock Hash Engine not detected.
[ 232.406646] alg: No test for authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc(aes-asm)))
[ 298.437927] device br1 entered promiscuous mode
[ 371.364329] device br1 left promiscuous mode
[ 416.832870] device eth1 entered promiscuous mode
[ 420.388313] device eth1 left promiscuous mode
[ 422.024886] device eth0 entered promiscuous mode
[ 423.568319] device eth0 left promiscuous mode
[ 426.784902] device eth0 entered promiscuous mode
[ 430.996302] device eth0 left promiscuous mode
[ 434.912747] device eth0 entered promiscuous mode
[ 434.914242] device eth0 left promiscuous mode
[ 438.464990] device eth0 entered promiscuous mode
[ 447.884331] device eth0 left promiscuous mode
[ 455.904885] device br1 entered promiscuous mode
[ 461.468307] device br1 left promiscuous mode
** Model information
sys_vendor: Bochs
product_name: Bochs
product_version:
chassis_vendor: Bochs
chassis_version:
bios_vendor: Bochs
bios_version: Bochs
** Loaded modules:
Module Size Used by
authenc 5642 0
deflate 1767 0
zlib_deflate 17746 1 deflate
ctr 3363 0
camellia 17463 0
cast5 16349 0
rmd160 7104 0
sha1_generic 1759 0
hmac 2593 0
crypto_null 2492 0
ccm 6833 0
serpent 16791 0
blowfish 7944 0
twofish 6025 0
twofish_common 13472 1 twofish
ecb 1841 0
xcbc 2325 0
cbc 2539 0
sha256_generic 8692 0
sha512_generic 4449 0
des_generic 15475 0
aes_x86_64 7340 0
aes_generic 25714 1 aes_x86_64
xfrm_user 17793 2
ah6 4373 0
ah4 3711 0
esp6 4569 0
esp4 4821 0
xfrm4_mode_beet 1995 0
xfrm4_tunnel 1625 0
tunnel4 1973 1 xfrm4_tunnel
xfrm4_mode_tunnel 1696 0
xfrm4_mode_transport 1450 0
xfrm6_mode_transport 1498 0
xfrm6_mode_ro 1310 0
xfrm6_mode_beet 1834 0
xfrm6_mode_tunnel 1632 0
ipcomp 1796 0
ipcomp6 1780 0
xfrm_ipcomp 3559 2 ipcomp,ipcomp6
xfrm6_tunnel 6687 1 ipcomp6
tunnel6 1872 1 xfrm6_tunnel
rng_core 3006 0
af_key 25376 0
vzethdev 7301 0
vznetdev 17967 2
simfs 3087 2
vzrst 110286 0
vzcpt 97010 0
vzdquota 35158 2 [permanent]
vzmon 16333 6 vzethdev,vznetdev,vzrst,vzcpt
vzdev 1824 4 vzethdev,vznetdev,vzdquota,vzmon
xt_tcpudp 2319 0
xt_length 1164 0
xt_hl 1313 0
xt_tcpmss 1401 0
xt_TCPMSS 2935 0
iptable_mangle 2881 0
xt_multiport 2267 0
xt_limit 1782 0
xt_dscp 1805 0
ipt_REJECT 1953 0
nfnetlink_log 7016 1
ipt_LOG 4742 0
ipt_MASQUERADE 1213 0
xt_state 1303 0
iptable_filter 2322 0
nf_nat_h323 5095 0
nf_nat_irc 1366 0
nf_nat_tftp 966 0
nf_nat_snmp_basic 7796 0
nf_nat_pptp 2034 0
nf_nat_proto_gre 1245 1 nf_nat_pptp
nf_nat_proto_udplite 1089 0
iptable_nat 4363 0
ip_tables 14107 3 iptable_mangle,iptable_filter,iptable_nat
nf_nat_sip 4934 0
nf_nat_amanda 1144 0
nf_nat_proto_sctp 1144 0
crc32c 2560 1
libcrc32c 1074 1 nf_nat_proto_sctp
nf_nat_ftp 2047 0
nf_nat_proto_dccp 1128 0
nf_nat 13514 13 ipt_MASQUERADE,nf_nat_h323,nf_nat_irc,nf_nat_tftp,nf_nat_pptp,nf_nat_proto_gre,nf_nat_proto_udplite,iptable_nat,nf_nat_sip,nf_nat_amanda,nf_nat_proto_sctp,nf_nat_ftp,nf_nat_proto_dccp
act_nat 3139 0
ebtable_nat 1588 0
ebtables 13933 1 ebtable_nat
ebt_dnat 1124 0
ebt_snat 1172 0
nf_conntrack_tftp 3321 1 nf_nat_tftp
nf_conntrack_netbios_ns 1282 0
nf_conntrack_proto_udplite 2623 0
nf_conntrack_sane 3620 0
xt_conntrack 3487 0
x_tables 13213 18 xt_tcpudp,xt_length,xt_hl,xt_tcpmss,xt_TCPMSS,xt_multiport,xt_limit,xt_dscp,ipt_REJECT,ipt_LOG,ipt_MASQUERADE,xt_state,iptable_nat,ip_tables,ebtables,ebt_dnat,ebt_snat,xt_conntrack
ts_kmp 1623 5
nf_conntrack_amanda 2197 1 nf_nat_amanda
nf_conntrack_netlink 13160 0
nfnetlink 2398 3 nfnetlink_log,nf_conntrack_netlink
nf_conntrack_proto_dccp 6466 0
nf_conntrack_irc 3347 1 nf_nat_irc
nf_conntrack_sip 13546 1 nf_nat_sip
nf_conntrack_proto_sctp 6238 0
nf_conntrack_ftp 5537 1 nf_nat_ftp
nf_conntrack_h323 36800 1 nf_nat_h323
nf_conntrack_pptp 3801 1 nf_nat_pptp
nf_conntrack_proto_gre 3579 1 nf_conntrack_pptp
nf_conntrack_ipv4 10143 3 iptable_nat,nf_nat
nf_conntrack 47155 27 xt_state,nf_nat_h323,nf_nat_irc,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_pptp,iptable_nat,nf_nat_sip,nf_nat_amanda,nf_nat_ftp,nf_nat,nf_conntrack_tftp,nf_conntrack_netbios_ns,nf_conntrack_proto_udplite,nf_conntrack_sane,xt_conntrack,nf_conntrack_amanda,nf_conntrack_netlink,nf_conntrack_proto_dccp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_ftp,nf_conntrack_h323,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_ipv4
nf_defrag_ipv4 1155 1 nf_conntrack_ipv4
bridge 40726 0
8021q 17902 0
garp 5050 1 8021q
stp 1440 2 bridge,garp
loop 11735 0
snd_pcm 60487 0
snd_timer 15598 1 snd_pcm
i2c_piix4 8328 0
serio_raw 3768 0
snd 46494 2 snd_pcm,snd_timer
soundcore 4598 1 snd
evdev 7368 2
processor 30279 0
snd_page_alloc 6265 1 snd_pcm
button 4682 0
psmouse 49777 0
virtio_balloon 2929 0
pcspkr 1699 0
i2c_core 15712 1 i2c_piix4
ext3 106470 1
jbd 37053 1 ext3
mbcache 5050 1 ext3
dm_mod 53786 6
sg 18712 0
sr_mod 12682 0
cdrom 29415 1 sr_mod
ata_generic 2983 0
ata_piix 21012 0
uhci_hcd 18537 0
ehci_hcd 31151 0
thermal 11754 0
libata 133536 2 ata_generic,ata_piix
virtio_net 10513 0
virtio_blk 4225 2
floppy 49055 0
thermal_sys 11942 2 processor,thermal
usbcore 122135 3 uhci_hcd,ehci_hcd
nls_base 6377 1 usbcore
scsi_mod 122133 3 sg,sr_mod,libata
virtio_pci 5535 0
virtio_ring 3210 1 virtio_pci
virtio 3309 4 virtio_balloon,virtio_net,virtio_blk,virtio_pci
** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
auto eth1.100
iface eth1.100 inet static
address 213.178.168.253
netmask 255.255.255.248
#
auto br1
iface br1 inet static
address 172.16.231.254
netmask 255.255.255.128
pre-up brctl addbr br1
#
auto br0
iface br0 inet static
address 172.16.231.126
netmask 255.255.255.128
pre-up brctl addbr br0
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 52:54:00:dd:5e:72 brd ff:ff:ff:ff:ff:ff
inet 212.9.191.121/25 brd 212.9.191.127 scope global eth0
inet6 fe80::5054:ff:fedd:5e72/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 52:54:00:91:f8:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::5054:ff:fe91:f85d/64 scope link
valid_lft forever preferred_lft forever
4: eth1.100@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 52:54:00:91:f8:5d brd ff:ff:ff:ff:ff:ff
inet 213.178.168.253/29 brd 213.178.168.255 scope global eth1.100
inet6 fe80::5054:ff:fe91:f85d/64 scope link
valid_lft forever preferred_lft forever
5: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:18:51:7f:1f:38 brd ff:ff:ff:ff:ff:ff
inet 172.16.231.254/25 brd 172.16.231.255 scope global br1
inet6 fe80::6841:4ff:feb9:28fa/64 scope link
valid_lft forever preferred_lft forever
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:18:51:86:15:06 brd ff:ff:ff:ff:ff:ff
inet 172.16.231.126/25 brd 172.16.231.127 scope global br0
inet6 fe80::9cdd:92ff:fec3:20b1/64 scope link
valid_lft forever preferred_lft forever
7: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void
8: veth100.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:18:51:86:15:06 brd ff:ff:ff:ff:ff:ff
inet6 fe80::218:51ff:fe86:1506/64 scope link
valid_lft forever preferred_lft forever
9: veth200.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:18:51:7f:1f:38 brd ff:ff:ff:ff:ff:ff
inet6 fe80::218:51ff:fe7f:1f38/64 scope link
valid_lft forever preferred_lft forever
*** Device statistics:
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 3240 27 0 0 0 0 0 0 3240 27 0 0 0 0 0 0
eth0: 9735627 62071 0 0 0 0 0 0 60667739 826887 0 0 0 0 0 0
eth1:63808610 839660 0 0 0 0 0 0 136200 2952 0 0 0 0 0 0
eth1.100:52048686 839583 0 0 0 0 0 2 135778 2947 0 0 0 0 0 0
br1: 9324 117 0 0 0 0 0 1 11446 123 0 0 0 0 0 0
br0: 2548 33 0 0 0 0 0 1 4152 52 0 0 0 0 0 0
venet0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
veth100.0: 2932 39 0 0 0 0 0 0 3096 42 0 1 0 0 0 0
veth200.0: 9708 123 0 0 0 0 0 0 9648 122 0 1 0 0 0 0
*** Protocol statistics:
Ip:
830010 total packets received
9369 with invalid headers
804122 forwarded
0 incoming packets discarded
16400 incoming packets delivered
823995 requests sent out
80 dropped because of missing route
Icmp:
93 ICMP messages received
4 input ICMP message failed.
ICMP input histogram:
destination unreachable: 8
echo requests: 82
echo replies: 3
7619 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 104
time exceeded: 7430
echo request: 3
echo replies: 82
IcmpMsg:
InType0: 3
InType3: 8
InType8: 82
OutType0: 82
OutType3: 104
OutType8: 3
OutType11: 7430
Tcp:
32 active connections openings
278 passive connection openings
11 failed connection attempts
0 connection resets received
2 connections established
13278 segments received
10720 segments send out
25 segments retransmited
0 bad segments received.
838 resets sent
Udp:
1514 packets received
97 packets to unknown port received.
0 packet receive errors
1511 packets sent
UdpLite:
TcpExt:
8 resets received for embryonic SYN_RECV sockets
15 TCP sockets finished time wait in fast timer
836 delayed acks sent
Quick ack mode was activated 3 times
321 packets directly queued to recvmsg prequeue.
1 bytes directly received in process context from prequeue
7175 packet headers predicted
790 acknowledgments not containing data payload received
3980 predicted acknowledgments
7 congestion windows recovered without slow start after partial ack
1 timeouts after SACK recovery
22 other TCP timeouts
3 DSACKs sent for old packets
11 DSACKs received
TCPDSACKIgnoredOld: 2
TCPDSACKIgnoredNoUndo: 2
IpExt:
InNoRoutes: 3
InBcastPkts: 1269
InOctets: 54274924
OutOctets: 49020125
InBcastOctets: 132643
*** Device features:
br0: 0x1820
br1: 0x1820
eth0: 0x220
eth1: 0x220
eth1.100: 0x0
lo: 0x10013865
venet0: 0x18001420
veth100.0: 0x18001020
veth200.0: 0x18001020
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
Subsystem: Qumranet, Inc. Qemu virtual machine [1af4:1100]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
Subsystem: Qumranet, Inc. Qemu virtual machine [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:01.1 IDE interface [0101]: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II] [8086:7010] (prog-if 80 [Master])
Subsystem: Qumranet, Inc. Qemu virtual machine [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Region 0: [virtual] Memory at 000001f0 (32-bit, non-prefetchable) [size=8]
Region 1: [virtual] Memory at 000003f0 (type 3, non-prefetchable) [size=1]
Region 2: [virtual] Memory at 00000170 (32-bit, non-prefetchable) [size=8]
Region 3: [virtual] Memory at 00000370 (type 3, non-prefetchable) [size=1]
Region 4: I/O ports at c000 [size=16]
Kernel driver in use: ata_piix
00:01.2 USB Controller [0c03]: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] [8086:7020] (rev 01) (prog-if 00 [UHCI])
Subsystem: Qumranet, Inc. Qemu virtual machine [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin D routed to IRQ 10
Region 4: I/O ports at c020 [size=32]
Kernel driver in use: uhci_hcd
00:01.3 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 03)
Subsystem: Qumranet, Inc. Qemu virtual machine [1af4:1100]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 9
Kernel driver in use: piix4_smbus
00:02.0 VGA compatible controller [0300]: Cirrus Logic GD 5446 [1013:00b8] (prog-if 00 [VGA controller])
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Region 0: Memory at f0000000 (32-bit, prefetchable) [size=32M]
Region 1: Memory at f2000000 (32-bit, non-prefetchable) [size=4K]
Expansion ROM at f2010000 [disabled] [size=64K]
00:03.0 RAM memory [0500]: Qumranet, Inc. Virtio memory balloon [1af4:1002]
Subsystem: Qumranet, Inc. Device [1af4:0005]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 11
Region 0: I/O ports at c040 [size=32]
Kernel driver in use: virtio-pci
00:04.0 SCSI storage controller [0100]: Qumranet, Inc. Virtio block device [1af4:1001]
Subsystem: Qumranet, Inc. Device [1af4:0002]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 10
Region 0: I/O ports at c080 [size=64]
Region 1: Memory at f2020000 (32-bit, non-prefetchable) [size=4K]
Capabilities: [40] MSI-X: Enable+ Count=2 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00000800
Kernel driver in use: virtio-pci
00:05.0 Ethernet controller [0200]: Qumranet, Inc. Virtio network device [1af4:1000]
Subsystem: Qumranet, Inc. Device [1af4:0001]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 10
Region 0: I/O ports at c0c0 [size=32]
Region 1: Memory at f2021000 (32-bit, non-prefetchable) [size=4K]
Expansion ROM at f2028000 [disabled] [size=32K]
Capabilities: [40] MSI-X: Enable+ Count=3 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00000800
Kernel driver in use: virtio-pci
00:07.0 Ethernet controller [0200]: Qumranet, Inc. Virtio network device [1af4:1000]
Subsystem: Qumranet, Inc. Device [1af4:0001]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 11
Region 0: I/O ports at c0e0 [size=32]
Region 1: Memory at f2030000 (32-bit, non-prefetchable) [size=4K]
Expansion ROM at f2038000 [disabled] [size=32K]
Capabilities: [40] MSI-X: Enable+ Count=3 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00000800
Kernel driver in use: virtio-pci
** USB devices:
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages linux-image-2.6.32-5-openvz-amd64 depends on:
ii debconf [debconf-2.0] 1.5.33 Debian configuration management sy
ii initramfs-tools [linux-initra 0.97.2 tools for generating an initramfs
ii linux-base 2.6.32-18 Linux image base package
ii module-init-tools 3.12-1 tools for managing Linux kernel mo
ii vzctl 3.0.23-18 server virtualization solution - c
Versions of packages linux-image-2.6.32-5-openvz-amd64 recommends:
pn firmware-linux-free <none> (no description available)
Versions of packages linux-image-2.6.32-5-openvz-amd64 suggests:
pn grub | lilo <none> (no description available)
pn linux-doc-2.6.32 <none> (no description available)
Versions of packages linux-image-2.6.32-5-openvz-amd64 is related to:
pn firmware-bnx2 <none> (no description available)
pn firmware-bnx2x <none> (no description available)
pn firmware-ipw2x00 <none> (no description available)
pn firmware-ivtv <none> (no description available)
pn firmware-iwlwifi <none> (no description available)
pn firmware-linux <none> (no description available)
pn firmware-linux-nonfree <none> (no description available)
pn firmware-qlogic <none> (no description available)
pn firmware-ralink <none> (no description available)
pn xen-hypervisor <none> (no description available)
-- debconf information:
linux-image-2.6.32-5-openvz-amd64/postinst/missing-firmware-2.6.32-5-openvz-amd64:
shared/kernel-image/really-run-bootloader: true
linux-image-2.6.32-5-openvz-amd64/postinst/depmod-error-initrd-2.6.32-5-openvz-amd64: false
linux-image-2.6.32-5-openvz-amd64/prerm/would-invalidate-boot-loader-2.6.32-5-openvz-amd64: true
linux-image-2.6.32-5-openvz-amd64/postinst/bootloader-error-2.6.32-5-openvz-amd64:
linux-image-2.6.32-5-openvz-amd64/prerm/removing-running-kernel-2.6.32-5-openvz-amd64: true
linux-image-2.6.32-5-openvz-amd64/postinst/ignoring-do-bootloader-2.6.32-5-openvz-amd64:
linux-image-2.6.32-5-openvz-amd64/postinst/bootloader-test-error-2.6.32-5-openvz-amd64:
More information:
-----------------
I have problems with the following setup:
The scenario:
- I have a VZ-Server based on Debian Squeeze AMD64 using the latest OpenVZ Kernel from Debian unstable 2.6.32-15. The system's other packages are up2date.
- The system has two ethernet-devices eth0 (external) and eth1, which is a phys. interface for a .1q-Trunk.
- I have two bridge-devices br0 and br1 with own IP-subnet and no attached phys. ethernet device to form "virtual dmz" on the host. The traffic is routed between the networks.
- There is a VE attached to every bridge device. It uses veth as network subsystem.
- I use Openswan 1:2.6.26+dfsg-1 for ipsec tunnels
The Problem:
I can access the VE from the LAN attached to e.g. eth0 or eth1.100 (VLAN) without any problem. I can also ping from one VE to the other or to hosts on the LAN.
I can use the VPN-Tunnel to ping hosts on the phys. LAN and I can also ping the host's IP-addresses on the bridge-device. But I _cannot_ ping the VE's IP itself using the ipsec tunnel. I can see the packages travelling to br1 in tcpdump, but the VE does not answer. I can also see the packages _inside_ the VE using tcpdump on eth0 but the VE does not answer.
The most strange thing is, if I ping back from the VE to the VPN-Client IP-Address I can see bidirectional traffic on br1 using tcpdump but the ping-command inside the VE does not get any packet back. The VPN-Client is 192.168.10.1 the VE has 172.16.231.129. This is what I see in tcpdump:
15:06:30.496483 IP 172.16.231.129 > 192.168.10.1: ICMP echo request, id 318, seq 10, length 64
15:06:30.498103 IP 192.168.10.1 > 172.16.231.129: ICMP echo reply, id 318, seq 10, length 64
15:06:31.504440 IP 172.16.231.129 > 192.168.10.1: ICMP echo request, id 318, seq 11, length 64
15:06:31.507335 IP 192.168.10.1 > 172.16.231.129: ICMP echo reply, id 318, seq 11, length 64
15:06:32.512414 IP 172.16.231.129 > 192.168.10.1: ICMP echo request, id 318, seq 12, length 64
15:06:32.532765 IP 192.168.10.1 > 172.16.231.129: ICMP echo reply, id 318, seq 12, length 64
15:06:33.520455 IP 172.16.231.129 > 192.168.10.1: ICMP echo request, id 318, seq 13, length 64
15:06:33.524663 IP 192.168.10.1 > 172.16.231.129: ICMP echo reply, id 318, seq 13, length 64
15:06:34.528431 IP 172.16.231.129 > 192.168.10.1: ICMP echo request, id 318, seq 14, length 64
15:06:34.530911 IP 192.168.10.1 > 172.16.231.129: ICMP echo reply, id 318, seq 14, length 64
And this what the ping shows if stopped after a while:
root@proxy:/# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
^C
--- 192.168.10.1 ping statistics ---
84 packets transmitted, 0 received, 100% packet loss, time 83663ms
Here comes the network-debug-output:
Routing-Table inside the proxy-VE:
root@proxy:/# ip route list table all
172.16.231.128/25 dev eth0 proto kernel scope link src 172.16.231.129
default via 172.16.231.254 dev eth0
local 172.16.231.129 dev eth0 table local proto kernel scope host src 172.16.231.129
broadcast 172.16.231.128 dev eth0 table local proto kernel scope link src 172.16.231.129
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.16.231.255 dev eth0 table local proto kernel scope link src 172.16.231.129
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::218:51ff:febd:fe1d via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
Routing-Table on the Host-System:
root@vzhost01:~# ip route list table all
213.178.168.248/29 dev eth1.100 proto kernel scope link src 213.178.168.253
212.9.191.0/25 dev eth0 proto kernel scope link src 212.9.191.121
172.16.231.128/25 dev br1 proto kernel scope link src 172.16.231.254
172.16.231.0/25 dev br0 proto kernel scope link src 172.16.231.126
default via 212.9.191.1 dev eth0
broadcast 212.9.191.127 dev eth0 table local proto kernel scope link src 212.9.191.121
broadcast 172.16.231.128 dev br1 table local proto kernel scope link src 172.16.231.254
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 213.178.168.248 dev eth1.100 table local proto kernel scope link src 213.178.168.253
broadcast 172.16.231.0 dev br0 table local proto kernel scope link src 172.16.231.126
broadcast 213.178.168.255 dev eth1.100 table local proto kernel scope link src 213.178.168.253
local 212.9.191.121 dev eth0 table local proto kernel scope host src 212.9.191.121
local 213.178.168.253 dev eth1.100 table local proto kernel scope host src 213.178.168.253
local 172.16.231.126 dev br0 table local proto kernel scope host src 172.16.231.126
broadcast 172.16.231.127 dev br0 table local proto kernel scope link src 172.16.231.126
local 172.16.231.254 dev br1 table local proto kernel scope host src 172.16.231.254
broadcast 212.9.191.0 dev eth0 table local proto kernel scope link src 212.9.191.121
broadcast 172.16.231.255 dev br1 table local proto kernel scope link src 172.16.231.254
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1.100 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev br1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev veth100.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev veth200.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::218:51ff:fe7f:1f38 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::218:51ff:fe86:1506 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::5054:ff:fe91:f85d via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::5054:ff:fe91:f85d via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::5054:ff:fedd:5e72 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::ac33:a8ff:fe5b:a9e9 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::cc5e:d0ff:fe76:5956 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1.100 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev br1 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev veth100.0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev veth200.0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
I am sure, that there are no iptables-filters active. Here comes the dump:
root@vzhost01:~# iptables -t nat -L && iptables -t filter -L && iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
I also reported this here
http://forum.openvz.org/index.php?t=tree&goto=39937&&srch=ipsec#msg_39937
but without success.
Reply to: