|
On Mon, 2006-02-13 at 16:53 -0600, Richard Pickett wrote:
> Yeah. I've looked on that list. Last email I saw on there was September
> of last year, considering that the last update of keepalived was early
> '05 I figured it had died off.
Hrm... last email I have on the keepalived list was last Friday. It's a
relatively quiet list these days but that's probably because Alexandre
(maintainer) has been working on a commercial version of the code, so
the OSS branch has gone a bit quiet.
> Although I didn't run this through my own email servers (where I have
> access to the logs) the "to" was to a valid email account on the server
> it was sent to. I'll ethereal it and see if I can dig up some more info.
> Maybe I'll end up just having it call shell scripts that will send out
> mail for me.
It strikes me that the SMTP server you're using might be doing *sender*
verification and rejecting the mail because it's using a non-lookup-able
sender. If you're using Exim, this is very likely.
> Cool cool cool. One last item on this particular configuration. These
> boxes use iptables RELATED,EXISTING commands to forward traffic at the
> head of it's rules so existing connections don't have their packets run
> through all the rules every time. Does the lvs_sync_daemon_interface
> populate the iptables connection table, or is it just the vrrp
> connection tables?
the LVS sync daemon synchronises the LVS table - there isn't a VRRP
table.
> The scenario I see is an existing connection that matched firewall rules
> getting dropped by the backup iptables rules when he switches to master
> because his iptables state wasn't aware of the connection. Is that a
> correct assessment?
More than likely, yes. I'm not aware of anything to sync the iptables
conntrack tables (which is what you're talking about).
Personally I think that a connection drop at router failover is
acceptable; it's rather better than having a complete outage.
Graeme
|
