On 10/09/15 06:31 PM, Noel Kuntze wrote: > > Hello Digimer, > > Pro tip: look at the 'multiport' module. You can substantially reduce the > number of rules with it. > Right now, I'm scratching my eyes out. > You can use `ss` or `netstat` to find out where clmvd wants to phone to. That > might be > an additional lead. Or use tcpdump. > But please, tidy up your rules.
The rules are as terse as I thought I could make them. ss shows no difference: ==== [root@node1 ~]# /etc/init.d/clvmd start Starting clvmd: Activating VG(s): [ OK ] [root@node1 ~]# ss State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.122.10:ssh 192.168.122.1:53935 ESTAB 0 0 192.168.122.10:ssh 192.168.122.1:53934 ESTAB 0 0 10.10.10.1:48985 10.10.10.2:7788 ESTAB 0 0 10.10.10.1:7788 10.10.10.2:51681 ESTAB 0 0 ::ffff:10.20.10.1:16851 ::ffff:10.20.10.2:43553 [root@node1 ~]# /etc/init.d/clvmd stop Signaling clvmd to exit [ OK ] clvmd terminated [ OK ] [root@node1 ~]# ss State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.122.10:ssh 192.168.122.1:53935 ESTAB 0 0 192.168.122.10:ssh 192.168.122.1:53934 ESTAB 0 0 10.10.10.1:48985 10.10.10.2:7788 ESTAB 0 0 10.10.10.1:7788 10.10.10.2:51681 ESTAB 0 0 ::ffff:10.20.10.1:16851 ::ffff:10.20.10.2:43553 [root@node1 ~]# netcat ==== netstat had a lot more output, so I pushed the output to files and diff'ed them: ==== [root@node1 ~]# netstat > 1 [root@node1 ~]# /etc/init.d/clvmd start Starting clvmd: Activating VG(s): [ OK ] [root@node1 ~]# netstat > 2 [root@node1 ~]# diff -U0 1 2 --- 1 2015-09-10 22:46:31.275000003 +0000 +++ 2 2015-09-10 22:46:51.044000011 +0000 @@ -7,0 +8,2 @@ +sctp 0 0 node1.bcn:21064 node2.bcn:21064 ESTABLISHED + node1.sn node2.sn @@ -12 +14,6 @@ -unix 15 [ ] DGRAM 12986 /dev/log +unix 16 [ ] DGRAM 12986 /dev/log +unix 2 [ ] DGRAM 23743 +unix 3 [ ] STREAM CONNECTED 23689 @corosync.ipc +unix 3 [ ] STREAM CONNECTED 23688 +unix 3 [ ] STREAM CONNECTED 23685 /var/run/cman_client +unix 3 [ ] STREAM CONNECTED 23684 ==== I'm not familiar with netstat, so I'll need to read up to understand the differences and how to translate them to iptables rules. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? _______________________________________________ Users mailing list: Users@clusterlabs.org http://clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org