|
Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST. There
still are a few so I don't know what is causing this, but it is small
compared to what I was getting before. Those users who had terrible
connection problems seem to have no problems at all now. So thanks Jay for
heading me in the right direction. For some reason this didn't appear to be
as big of a problem in kernel 2.4.x, although it still might have existed.
I also ran across a script from Golan Zakai
http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html
that greatly automates the custom kernel build in Centos 5.
Thanks for all of your help,
Brent
At 12:39 PM 8/6/2010 -0600, you wrote:
>Thanks for the heads up. I'll have to brush up on my kernel hacking
>skills. Has anyone been able to successfully run LVS-NAT with stateful
>firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, Brent
>
>On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner
><jay.faulkner@xxxxxxxxxxxxx> wrote:
> > -----Original Message-----
> > From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
> > [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Brent
>Jensen
> > Sent: Friday, August 06, 2010 12:29 AM
> > To: LinuxVirtualServer.org users mailing list.
> > Subject: Re: [lvs-users] Firewall on LVS NAT
> >
> > More info. I now realize that these dropped packets are FIN and RST ACKs
>
> > being blocked, probably because my rules to the VIP include: -m state
> > --state NEW -j ACCEPT. Can these dropped packets affect the TCP
> > connections, resulting in client connection issues?
> >
> >
> >
> > Brent,
> >
> > I feel particularly sad for you, I had to troubleshoot this same issue
>and
> > had a very, very bad week.
> >
> > In my environment, I was able to fix the problem by recompiling my
>kernel
> > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something
>similar
> > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it
>happens,
> > but I suspect that iptables can't get a good take on the "STATE" of a
> > connection in LVS, because LVS partially bypasses netfilter.
> >
> > Give it a shot and let me know how it works.
> >
> > --
> > Jason Faulkner
> > Linux Engineer
> > Rackspace Email & Apps
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>_______________________________________________
>Please read the documentation before posting - it's available at:
>http://www.linuxvirtualserver.org/
>
>LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>or go to http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
