lvs-users
|
|
lvs-users
|
| To: | "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [lvs-users] IPVS/DR ip_conntrack: table full, dropping packet at squid server |
| From: | Graeme Fowler <graeme@xxxxxxxxxxx> |
| Date: | Fri, 08 Jun 2007 10:21:58 +0100 |
On Fri, 2007-06-08 at 15:53 +0700, Wiboon Warasittichai wrote: > Do I need to unload module ip_conntrack on all squid boxes? Ideally, yes. Why do you have the conntrack module loaded in the first place? An alternative method, if you absolutely must keep the conntrack rules in place, is to explicitly use the NOTRACK target on packets destined for the Squid service. On the director, as an example: iptables -t raw -I PREROUTING -p tcp --dport 3128 -j NOTRACK iptables -I INPUT -p tcp -m tcp --dport 3128 -j ACCEPT The first line will remove tracking from packets destined for TCP port 3128 on the director. You may need to also inlcude any reply packets which traverse the director, but as you're using DR I think you can miss that part. Graeme |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [lvs-users] IPVS/DR ip_conntrack: table full, dropping packet at squid server, Wiboon Warasittichai |
|---|---|
| Next by Date: | Re: [lvs-users] IPVS/DR ip_conntrack: table full, dropping packet at squid server, Graeme Fowler |
| Previous by Thread: | [lvs-users] IPVS/DR ip_conntrack: table full, dropping packet at squid server, Wiboon Warasittichai |
| Next by Thread: | Re: [lvs-users] IPVS/DR ip_conntrack: table full, dropping packet at squid server, Graeme Fowler |
| Indexes: | [Date] [Thread] [Top] [All Lists] |