I'm using ip_conntrack so it's /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal (or sysctl equiv).
That didn't seem to change the remaining drops. Thanks, Brent At 09:01 AM 8/9/2010 -0500, you wrote: >Brent, did you set this value (it might be different on CentOS stock, I'm >running 2.6.27): > >net.netfilter.nf_conntrack_tcp_be_liberal = 1 > >That might resolve the remainder of your dropped FIN/RST. > >Jason Faulkner >Linux Engineer, Rackspace Email & Apps >[email protected] >o: (540) 443-2101 (ex. 505-2101) > > > > -----Original Message----- > > From: [email protected] [mailto:lvs-users- > > [email protected]] On Behalf Of Brent Jensen > > Sent: Monday, August 09, 2010 12:26 AM > > To: LinuxVirtualServer.org users mailing list. > > Subject: Re: [lvs-users] Firewall on LVS NAT > > > > Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST. > > There still are a few so I don't know what is causing this, but it is small > > compared to what I was getting before. Those users who had terrible > > connection problems seem to have no problems at all now. So thanks Jay for > > heading me in the right direction. For some reason this didn't appear > to be as > > big of a problem in kernel 2.4.x, although it still might have existed. > > > > I also ran across a script from Golan Zakai > > http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html > > that greatly automates the custom kernel build in Centos 5. > > > > Thanks for all of your help, > > > > Brent > > > > At 12:39 PM 8/6/2010 -0600, you wrote: > > > > >Thanks for the heads up. I'll have to brush up on my kernel hacking > > >skills. Has anyone been able to successfully run LVS-NAT with stateful > > >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks, > > >Brent > > > > > >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner > > ><[email protected]> wrote: > > > > -----Original Message----- > > > > From: [email protected] > > > > [mailto:[email protected]] On Behalf Of Brent > > >Jensen > > > > Sent: Friday, August 06, 2010 12:29 AM > > > > To: LinuxVirtualServer.org users mailing list. > > > > Subject: Re: [lvs-users] Firewall on LVS NAT > > > > > > > > More info. I now realize that these dropped packets are FIN and RST > > > > ACKs > > > > > > > being blocked, probably because my rules to the VIP include: -m > > > > state --state NEW -j ACCEPT. Can these dropped packets affect the > > > > TCP connections, resulting in client connection issues? > > > > > > > > > > > > > > > > Brent, > > > > > > > > I feel particularly sad for you, I had to troubleshoot this same > > > > issue > > >and > > > > had a very, very bad week. > > > > > > > > In my environment, I was able to fix the problem by recompiling my > > >kernel > > > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something > > >similar > > > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it > > >happens, > > > > but I suspect that iptables can't get a good take on the "STATE" of > > > > a connection in LVS, because LVS partially bypasses netfilter. > > > > > > > > Give it a shot and let me know how it works. > > > > > > > > -- > > > > Jason Faulkner > > > > Linux Engineer > > > > Rackspace Email & Apps > > > > > > > > _______________________________________________ > > > > Please read the documentation before posting - it's available at: > > > > http://www.linuxvirtualserver.org/ > > > > > > > > LinuxVirtualServer.org mailing list - > > > > [email protected] Send requests to > > > > [email protected] > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > >_______________________________________________ > > >Please read the documentation before posting - it's available at: > > >http://www.linuxvirtualserver.org/ > > > > > >LinuxVirtualServer.org mailing list - [email protected] > > >Send requests to [email protected] > > >or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > > _______________________________________________ > > Please read the documentation before posting - it's available at: > > http://www.linuxvirtualserver.org/ > > > > LinuxVirtualServer.org mailing list - [email protected] Send > > requests to [email protected] > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > >_______________________________________________ >Please read the documentation before posting - it's available at: >http://www.linuxvirtualserver.org/ > >LinuxVirtualServer.org mailing list - [email protected] >Send requests to [email protected] >or go to http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
