-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brent Jensen Sent: Friday, August 06, 2010 12:29 AM To: LinuxVirtualServer.org users mailing list. Subject: Re: [lvs-users] Firewall on LVS NAT
More info. I now realize that these dropped packets are FIN and RST ACKs being blocked, probably because my rules to the VIP include: -m state --state NEW -j ACCEPT. Can these dropped packets affect the TCP connections, resulting in client connection issues? Brent, I feel particularly sad for you, I had to troubleshoot this same issue and had a very, very bad week. In my environment, I was able to fix the problem by recompiling my kernel with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something similar to this will be in 2.6.36, Hooray!). I'm not sure exactly why it happens, but I suspect that iptables can't get a good take on the "STATE" of a connection in LVS, because LVS partially bypasses netfilter. Give it a shot and let me know how it works. -- Jason Faulkner Linux Engineer Rackspace Email & Apps _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
