Thanks for the heads up. I'll have to brush up on my kernel hacking skills. Has anyone been able to successfully run LVS-NAT with stateful firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, Brent
On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner <[email protected]> wrote: > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Brent Jensen > Sent: Friday, August 06, 2010 12:29 AM > To: LinuxVirtualServer.org users mailing list. > Subject: Re: [lvs-users] Firewall on LVS NAT > > More info. I now realize that these dropped packets are FIN and RST ACKs > being blocked, probably because my rules to the VIP include: -m state > --state NEW -j ACCEPT. Can these dropped packets affect the TCP > connections, resulting in client connection issues? > > > > Brent, > > I feel particularly sad for you, I had to troubleshoot this same issue and > had a very, very bad week. > > In my environment, I was able to fix the problem by recompiling my kernel > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something similar > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it happens, > but I suspect that iptables can't get a good take on the "STATE" of a > connection in LVS, because LVS partially bypasses netfilter. > > Give it a shot and let me know how it works. > > -- > Jason Faulkner > Linux Engineer > Rackspace Email & Apps > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
