|
Hello,
On Thu, 17 May 2001, DaP wrote:
> 14:24:24.693701 10.1.1.1.443 > 192.168.3.31.3438: P 1:1449(1448) ack 19
> win 31856 <nop,nop,timestamp 392454 1837743> (DF)
> ^^^ first big packet
You should forward this message to the Netfilter mailing list.
What I see is that port 443 is not a part from LVS service. I don't
know why netfilter does not forward the ICMP to the internal host.
If in doubt, you can enable the LVS debugging (must be
compiled), for example:
echo 15 > /proc/sys/net/ipv4/vs/debug_level
After your test you can return it to 0
You should see some messages, sort of:
- any ICMP message showed from the LVS code before any checks:
IP_VS_DBG(12, "icmp in (%d,%d) %u.%u.%u.%u -> %u.%u.%u.%u\n",
icmph->type, ntohs(icmp_id(icmph)),
NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
- ICMP holding embedded TCP/UDP just before LVS lookups for connection:
IP_VS_DBG(11, "Handling incoming ICMP for "
"%u.%u.%u.%u:%d -> %u.%u.%u.%u:%d\n",
NIPQUAD(ciph->saddr), ntohs(pptr[0]),
NIPQUAD(ciph->daddr), ntohs(pptr[1]));
- and successful forwarding for NAT, for related LVS connection:
IP_VS_DBG(11, "Forwarding incoming ICMP to "
"%u.%u.%u.%u:%d -> %u.%u.%u.%u:%d\n",
NIPQUAD(ciph->saddr), ntohs(pptr[0]),
NIPQUAD(ciph->daddr), ntohs(pptr[1]));
> 14:24:24.775359 217.20.130.10 > 217.20.134.241: icmp: 192.168.3.31
> unreachable - need to frag (mtu 1024) (DF) [tos 0xc0]
> 14:24:24.775507 217.20.130.10 > 217.20.134.241: icmp: 192.168.3.31
> unreachable - need to frag (mtu 1024) (DF) [tos 0xc0]
> ^^^ got the 'neet to frag'
I see it but only the debugging can show for which connection
is the ICMP. IMO, it is not LVS related but I could be wrong.
> there is nothing interesting in the routing cache, the 'need to frag'
> messages do not pass, while 'dest unreachable' do:
> 14:24:16.688657 10.1.1.121 > 10.1.1.1: icmp: 195.228.210.26 tcp port 2560
> unreachable (DF) [tos 0xc0]
What is this? -j REJECT? 1.121 and 1.1 are on the LAN, where is
195.228.210.26? I don't see NAT involved here.
> --
> DaP
Regards
--
Julian Anastasov <ja@xxxxxx>
|
