LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] IPVS with SNAT support on the kernel 2.6.36 + iptables v

To: Patrick Schaaf <netdev@xxxxxx>
Subject: Re: [lvs-users] IPVS with SNAT support on the kernel 2.6.36 + iptables v1.4.10
Cc: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Wed, 15 Dec 2010 02:28:17 +0200 (EET)
        Hello,

On Mon, 13 Dec 2010, Patrick Schaaf wrote:

> I just also tried 2.6.37-rc5. The same setup that was working on
> 2.6.36.1, although not with SNAT, is now completely broken.
>
> The SYN ACK back from the real server to the client, now hits the
> FORWARD chain, but without a conntrack in place (stateful
> ESTABLISHED,RELATED match does not trigger), thus the SYN ACK is
> dropped. Here is a LOG output at that point:
>
> Dec 13 11:29:34 gw1 kernel: [   72.972821] LRD IN=br0.2 OUT=br0.178
> PHYSIN=eth0.2 SRC=192.168.2.9 DST=192.168.178.21 LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=44202 WINDOW=5840 RES=0x00
> ACK SYN URGP=0
>
> corresponding ipvsadm -lcn (different run, thus different ports/realip):
>
> TCP 00:50  SYN_RECV    192.168.178.21:60329 192.168.2.238:80
> 192.168.2.5:80
>
> There is no corresponding conntrack visible, as far as I can see.

        2.6.37-rc1 comes with new sysctl var "conntrack",
so that IPVS conns can use, update and keep conntracks.
This support is automatically enabled for FTP connections because
2.6.36 comes with such requirement. If not enabled, the
conntracks are destroyed after packet is forwarded.

        You are not using ip_vs_ftp and I'm not sure if you
configured CONFIG_IP_VS_NFCT in 2.6.37-rc5. While
2.6.36 uses conntracks by default, 2.6.37-rc1 makes
it optional, so you should enable CONFIG_IP_VS_NFCT if
CONFIG_IP_VS_FTP did not enabled it already.

> Under 2.6.36.1, there is also no conntrack visible, but the connection
> becomes ESTABLISHED and works.

        Hm, I think IPVS should keep conntracks in 2.6.36.
It seems conntracks are destroyed for some reason, may be
missing netfilter module? You can check this file for more info:

http://www.ssi.bg/~ja/nfct/HOWTO.txt

        One part is for old kernels, some details are for
recent ones. Note that all/rp_filter=1 can cause problems
for setups with DEV/rp_filter=0. Latest kernels change
the rp_filter formula from AND to MAX.

Regards

--
Julian Anastasov <ja@xxxxxx>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>