Hi! Dimitri GOURDON wrote: > A lot of TCP packets with FIN or RST flags (all I think) are dropped by > Iptables as state INVALID. The consequence is that I have a lot of > connection in FIN_WAIT state (shown by netstat) on the 2 web servers...
I had a similar problem, so I first tried to use the nfct patches to export IPVS state to netfilter for accurate stateful matching, but that required tuning conntrack timers, so I wrote an iptables module to match ipvs packets directly instead (You'd have to recompile kernel/iptables to use it though): http://p6drad-teel.net/~windo/release/pom-ipvs_match.tar.gz It seems to work rather well - still some IVALID packets, but I think those are mainly casued by long and lossy connections (retransmissions). > I have reproduced this on my lab... > I have sniff packets with tcpdump to see flags, ACK number,... I've > found nothing bad. Are all FINs (and RSTs) blocked or only the first ones? To close a connection, both client and server must send a FIN - does neither of them get through? > I have tried to accept these packets with Iptables and then, all my > connections are terminated in a normal way (only 1-2 connection(s) stay > in FIN_WAIT on web servers). The problem (sort of) is that LVS code isn't really very well integrated with netfilter code. This allows for IPVS to work faster, but causes these kinds of problems as well. Siim _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
