|
I just also tried 2.6.37-rc5. The same setup that was working on
2.6.36.1, although not with SNAT, is now completely broken.
The SYN ACK back from the real server to the client, now hits the
FORWARD chain, but without a conntrack in place (stateful
ESTABLISHED,RELATED match does not trigger), thus the SYN ACK is
dropped. Here is a LOG output at that point:
Dec 13 11:29:34 gw1 kernel: [ 72.972821] LRD IN=br0.2 OUT=br0.178
PHYSIN=eth0.2 SRC=192.168.2.9 DST=192.168.178.21 LEN=52 TOS=0x00
PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=44202 WINDOW=5840 RES=0x00
ACK SYN URGP=0
corresponding ipvsadm -lcn (different run, thus different ports/realip):
TCP 00:50 SYN_RECV 192.168.178.21:60329 192.168.2.238:80
192.168.2.5:80
There is no corresponding conntrack visible, as far as I can see.
Under 2.6.36.1, there is also no conntrack visible, but the connection
becomes ESTABLISHED and works.
Server definition:
TCP 192.168.2.238:80 rr
-> 192.168.2.9:80 Masq 1 1 0
-> 192.168.2.5:80 Masq 1 0 0
Relevant INPUT chain entries:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
430 135K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- br0.178 * 192.168.178.0/24
192.168.2.0/24 tcp dpt:80
Relevant FORWARD chain entries:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
6 978 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- br0.178 br0.2 192.168.178.21
192.168.2.0/24 tcp dpt:80
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
