LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [lvs-users] Firewall on LVS NAT

from [brent] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Firewall on LVS NAT
From: <brent@xxxxxxxxxxx>
Date: Fri, 06 Aug 2010 12:39:27 -0600 
Thanks for the heads up. I'll have to brush up on my kernel hacking
skills. Has anyone been able to successfully run LVS-NAT with stateful
firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, Brent

On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner
<jay.faulkner@xxxxxxxxxxxxx> wrote:
> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Brent
Jensen
> Sent: Friday, August 06, 2010 12:29 AM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: [lvs-users] Firewall on LVS NAT
> 
> More info. I now realize that these dropped packets are FIN and RST ACKs

> being blocked, probably because my rules to the VIP include: -m state 
> --state NEW -j ACCEPT. Can these dropped packets affect the TCP 
> connections, resulting in client connection issues?
> 
> 
> 
> Brent,
> 
> I feel particularly sad for you, I had to troubleshoot this same issue
and
> had a very, very bad week.
> 
> In my environment, I was able to fix the problem by recompiling my
kernel
> with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something
similar
> to this will be in 2.6.36, Hooray!). I'm not sure exactly why it
happens,
> but I suspect that iptables can't get a good take on the "STATE" of a
> connection in LVS, because LVS partially bypasses netfilter.
> 
> Give it a shot and let me know how it works.
> 
> --
> Jason Faulkner
> Linux Engineer
> Rackspace Email & Apps
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [lvs-users] Kernel Tuning for LVS, Neal B
Next by Date:  Re: [lvs-users] Kernel Tuning for LVS, Simon Horman
Previous by Thread:  Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner
Next by Thread:  Re: [lvs-users] Firewall on LVS NAT, Brent Jensen
Indexes:  [Date] [Thread] [Top] [All Lists]