|
On Thursday 17 April 2008 15:59:47 Jason Stubbs wrote:
> On further investigation, the behaviour is the same regardless of whether
> it is a VIP or a real host. When a SYN_SENT state exists traffic doesn't
> flow. However, if there is no state and an ACK (no SYN) packet arrives, an
> ESTABLISHED entry is created such as:
>
> ipv4 2 tcp 6 431996 ESTABLISHED src=192.168.0.104 dst=192.168.1.3
> sport=20001 dport=80 packets=1 bytes=54 [UNREPLIED] src=192.168.1.3
> dst=192.168.0.104 sport=80 dport=20001 packets=0 bytes=0 mark=0 use=1
>
> After this the connection can complete normally. I wonder if this is not a
> bug in conntrack handling? It doesn't seem right to me.
There's an undocumented (as far as I can tell) sysctl that controls this
called net.netfilter.nf_conntrack_tcp_loose which defaults to 1. Turning it
off gave the behaviour I expected.
--
Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
LINKTHINK INC.
東京都渋谷区桜ヶ丘町22-14 N.E.S S棟 3F
TEL 03-5728-4772 FAX 03-5728-4773
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
