|
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Brent Jensen
Sent: Friday, August 06, 2010 12:29 AM
To: LinuxVirtualServer.org users mailing list.
Subject: Re: [lvs-users] Firewall on LVS NAT
More info. I now realize that these dropped packets are FIN and RST ACKs
being blocked, probably because my rules to the VIP include: -m state
--state NEW -j ACCEPT. Can these dropped packets affect the TCP
connections, resulting in client connection issues?
Brent,
I feel particularly sad for you, I had to troubleshoot this same issue and had
a very, very bad week.
In my environment, I was able to fix the problem by recompiling my kernel with
Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something similar to this
will be in 2.6.36, Hooray!). I'm not sure exactly why it happens, but I suspect
that iptables can't get a good take on the "STATE" of a connection in LVS,
because LVS partially bypasses netfilter.
Give it a shot and let me know how it works.
--
Jason Faulkner
Linux Engineer
Rackspace Email & Apps
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
