Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING

To: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
Subject: Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING
From: Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
Date: Thu, 17 Apr 2008 15:59:47 +0900
On Thursday 17 April 2008 12:25:54 Jason Stubbs wrote:
> On Wednesday 16 April 2008 18:10:52 Julian Anastasov wrote:
> > It is interesting what is -m state in Netfilter when
> > no replies are forwarded for LVS-DR setups, replies go directly
> > from real server to client. Are you sure long established connections
> > do not timeout shorter due to bad state in netfilter? May be
> > conntrack_tcp will be confused that only one direction works?
> This is currently working, but shouldn't be. When forwarding to a regular
> server via the LVS box, a conntrack entry in the SYN_SENT state is set up
> and no further traffic is allowed. When forwarding for a VIP, traffic is
> flowing through regardless of whether there's a conntrack entry or not. It
> must be something that ip_vs_out is doing so I'll look into it a little
> more and try to fix it.

On further investigation, the behaviour is the same regardless of whether it 
is a VIP or a real host. When a SYN_SENT state exists traffic doesn't flow. 
However, if there is no state and an ACK (no SYN) packet arrives, an 
ESTABLISHED entry is created such as:

ipv4     2 tcp      6 431996 ESTABLISHED src= dst= 
sport=20001 dport=80 packets=1 bytes=54 [UNREPLIED] src= 
dst= sport=80 dport=20001 packets=0 bytes=0 mark=0 use=1

After this the connection can complete normally. I wonder if this is not a bug 
in conntrack handling? It doesn't seem right to me.

Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
東京都渋谷区桜ヶ丘町22-14 N.E.S S棟 3F
TEL 03-5728-4772  FAX 03-5728-4773
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>