|
On Tue, Oct 05, 2004 at 09:18:24PM +0100, Graeme Fowler wrote:
> On Tue, 2004-10-05 at 10:53, Graeme Fowler wrote:
> > I'm running what you'd probably term a fairly classical LVS-NAT setup:
> <snip>
> > It looks to me like there's some sort of faulty interaction between the
> > connection tracking in the ip_vs module, and that in the iptable_nat or
> > ip_conntrack module - on occasion the iptables modules are handling ip_vs
> > traffic when they shouldn't.
>
> Just as additional info, I have now recompiled the kernel to activate
> the debug sysctl. I'm dumping IPVS debug info at one hell of a rate - my
> posited idea above looks about right, as I'm getting 'not hit' in the
> kernel logs for connections which have just gone in the pot.
You should get a "not hit" for all packets that come through the
box that are not related to LVS, and a "hit" for all packets that are.
If you think that packets are getting "not hit" when they should get
"hit" then try looking at ipvsadm -Lcn, this should give you a dump
of the connections that LVS is trying to match incoming packets against.
--
Horms
|
