nfs over iptables

[kazzmir]

I am running linux inside a xen vm and having trouble with nfs mounts. The nfs server is set up to recognize the host ip so I use iptables with an SNAT rule to allow my vm to talk to the nfs server. I can mount just fine but if I make nfs send packets above a certain size (~1400) then the nfs server won't respond and my vm will basically hang.

I have determined that it is a fragmentation issue because when I lower the MTU then the maximum packet size I can send goes down as well. As a workaround for now I use rsize=1024 and wsize=1024 options to nfs, but this lowers performance by about 3x.

Why would using iptables result in extra fragmentation and is there a way around it?

[Lazydog]

There is so much information not being stated here.

1. First where is the firewall located?
2. What is the bandwidth that the system is connected to?
3. What sizes are you talking about you show a few numbers but where does the 1400 come into play?
4. Are you talking window size or MTU?
5. Have you tried to use nfs without using iptables?

[kazzmir]

1. the firewall (iptables rules) are on the host running the xen machine
2. bandwidth is 100mbit/s
3. I wrote a program that spits out N characters, where N is an argumnet to the program. Using default parameters to nfs when I mount N can be a maximum of 1328. If I use N of 1329 then it hangs.
4. MTU. I used 'ifconfig eth0 mtu 1000'
5. The host uses nfs without iptables and that works fine with default parameters. Inside the vm I cannot mount nfs without using iptables because the server only recognizes the host's ip, not the ip of the vm. This can't be changed.

[Lazydog]

Are the host's ip and the vm's ip on the same network, i.e., 192.168.1.x?

[kazzmir]

No, the host is on 155.98.x.x and the vm is 172.18.x.x

[Lazydog]

Would be easier if they were both on the same network, would take iptables out of the picture. I still do not believe iptables is the issue here but because both hosts and vm are not on the same network we cannot prove this. I believe this has more to do with the hosting software. Iptables is doin't nothing more then changing the SRC Address.

[kazzmir]

Yes I agree with your understanding about iptables which is why I'm so confused. I'm not sure I can set the vm ip to a 155.98.x address due to other constraints.

The nfs server I am using uses version 2 if that makes a difference. Any ideas of anything else to check? I'm not using any complicated software, just linux+xen+iptables+mount.

[Lazydog]

What does your iptables rules look like?

[kazzmir]

/sbin/iptables -t nat -A POSTROUTING -j SNAT --to-source $host_ip -s $vm_ip --destination $nfs_server -o eth0

[Lazydog]

This is not the complete rule set I was looking to see the complete rules.