|
Hello,
On Wed, 9 May 2001, Radu-Adrian Feurdean wrote:
> 8 hours, 2 kernel+ipvs upgrades and about 10000 lines of kernel logs after,
> not so often in the logs (still plenty of):
>
> kernel: IPVS: Incoming failed TCP checksum from bla.bla.bla.bla (size=20)!
eth model? May be caused from remote attacks? I can see such
messages in my Linux 2.2 logs too.
> and
>
> kernel: IPVS: mess proto_doff for proto=6, size =20
again broken packet, hm. Large tcp->doff?
> kernel: IPVS: I-pkt invalid packet data size
sequence of above
> 2.4.2+ipvs_0.2.6, 2.4.2+ipvs_0.2.7, 2.4.3+ipvs_0.2.8, 2.4.4+ipvs_0.2.11
> All these combinations (SMP based) crashed in less than 8 hours of high
> traffic. 2.4.2+0.2.7 resisted over a week-end at low traffic (~2.5 Mbps)
We need this crash report! But with the latest versions, please.
> > > And yes, there is netfilter (aka firewall + MASQUERADE) on the same box.
> > > (here are some other minor problems, like packets - all of them - that
> > > don't
> > > pass through chain OUTPUT, table mangle).
> >
> > The LVS packets? Is this expected behavior? What is shown
> > in the Netfilter docs? Do you use the Netfilter's IPFW compat code?
>
> Both LVS and MASQUERADE packets. It is not the expected behavior and I haven't
> found something related in netfilter docs (well, I didn't search very much).
Why do you expect the LVS to use the OUTPUT chain? You mention
the mangle table? Locally generated packets?
It is mentioned in the packet-filter howto. The 2.2 ipchains
behavior (the netfilter's ipfw compat mode too) is always to use the OUTPUT
chain when forwarding packets. In the new netfilter framework the OUTPUT
chain is traversed only from locally generated packets which is not the
case with LVS. Although LVS differs from the new netfilter's behavior,
the OUTPUT chain is not traversed. LVS differs in the way the packets
are forwarded. LVS accepts the out->in traffic in the LOCAL_IN hook
(always after the INPUT chain) while netfilter forwards it through
the FORWARD chain. So, you have to revisit your OUTPUT chain usage
or to drop the iptables and to fallback to the ipchains binary with
the netfilter's ipfw compat code. But I don't know why you use the
OUTPUT chain.
> I used only iptables (ipchains and ipfwadm compat isn't even compiled, not
> even as module)
It seems you don't need them anymore :)
> Radu-Adrian Feurdean
> mailto: raf@xxxxxxxx
> -------------------------------------------------------------------
> "If the night is silent enough you can hear a Windows NT rebooting"
Regards
--
Julian Anastasov <ja@xxxxxx>
|
