LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [lvs-users] Firewall on LVS NAT

from [Brent Jensen] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Firewall on LVS NAT
From: Brent Jensen <brent@xxxxxxxxxxx>
Date: Mon, 09 Aug 2010 08:10:58 -0700 
I'm using ip_conntrack so it's 
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal (or sysctl equiv).

That didn't seem to change the remaining drops.

Thanks,

Brent


At 09:01 AM 8/9/2010 -0500, you wrote:
>Brent, did you set this value (it might be different on CentOS stock, I'm 
>running 2.6.27):
>
>net.netfilter.nf_conntrack_tcp_be_liberal = 1
>
>That might resolve the remainder of your dropped FIN/RST.
>
>Jason Faulkner
>Linux Engineer, Rackspace Email & Apps
>jason.faulkner@xxxxxxxxxxxxx
>o: (540) 443-2101 (ex. 505-2101)
>
>
> > -----Original Message-----
> > From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:lvs-users-
> > bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Brent Jensen
> > Sent: Monday, August 09, 2010 12:26 AM
> > To: LinuxVirtualServer.org users mailing list.
> > Subject: Re: [lvs-users] Firewall on LVS NAT
> >
> > Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST.
> > There still are a few so I don't know what is causing this, but it is small
> > compared to what I was getting before. Those users who had terrible
> > connection problems seem to have no problems at all now. So thanks Jay for
> > heading me in the right direction. For some reason this didn't appear 
> to be as
> > big of a problem in kernel 2.4.x, although it still might have existed.
> >
> > I also ran across a script from Golan Zakai
> > http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html
> > that greatly automates the custom kernel build in Centos 5.
> >
> > Thanks for all of your help,
> >
> > Brent
> >
> > At 12:39 PM 8/6/2010 -0600, you wrote:
> >
> > >Thanks for the heads up. I'll have to brush up on my kernel hacking
> > >skills. Has anyone been able to successfully run LVS-NAT with stateful
> > >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks,
> > >Brent
> > >
> > >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner
> > ><jay.faulkner@xxxxxxxxxxxxx> wrote:
> > > > -----Original Message-----
> > > > From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> > > > [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Brent
> > >Jensen
> > > > Sent: Friday, August 06, 2010 12:29 AM
> > > > To: LinuxVirtualServer.org users mailing list.
> > > > Subject: Re: [lvs-users] Firewall on LVS NAT
> > > >
> > > > More info. I now realize that these dropped packets are FIN and RST
> > > > ACKs
> > >
> > > > being blocked, probably because my rules to the VIP include: -m
> > > > state --state NEW -j ACCEPT. Can these dropped packets affect the
> > > > TCP connections, resulting in client connection issues?
> > > >
> > > >
> > > >
> > > > Brent,
> > > >
> > > > I feel particularly sad for you, I had to troubleshoot this same
> > > > issue
> > >and
> > > > had a very, very bad week.
> > > >
> > > > In my environment, I was able to fix the problem by recompiling my
> > >kernel
> > > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something
> > >similar
> > > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it
> > >happens,
> > > > but I suspect that iptables can't get a good take on the "STATE" of
> > > > a connection in LVS, because LVS partially bypasses netfilter.
> > > >
> > > > Give it a shot and let me know how it works.
> > > >
> > > > --
> > > > Jason Faulkner
> > > > Linux Engineer
> > > > Rackspace Email & Apps
> > > >
> > > > _______________________________________________
> > > > Please read the documentation before posting - it's available at:
> > > > http://www.linuxvirtualserver.org/
> > > >
> > > > LinuxVirtualServer.org mailing list -
> > > > lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to
> > > > lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> > >
> > >_______________________________________________
> > >Please read the documentation before posting - it's available at:
> > >http://www.linuxvirtualserver.org/
> > >
> > >LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > >Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > >or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send
> > requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>_______________________________________________
>Please read the documentation before posting - it's available at:
>http://www.linuxvirtualserver.org/
>
>LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [lvs-users] What are rup and ruptime used for?, Graeme Fowler
Next by Date:  Re: [lvs-users] What are rup and ruptime used for?, Diego Bello
Previous by Thread:  Re: [lvs-users] Firewall on LVS NAT, Jay Faulkner
Next by Thread:  Re: [lvs-users] Firewall on LVS NAT, Chris Chen
Indexes:  [Date] [Thread] [Top] [All Lists]