Problems with IPVS

[Roberto Nibali]

>  I investigated a bit further and that's what I found:

Where did you tcpdump?

>  1. phone sends SYN packet to proxy;

Means (from previous email context):

Phone --> GRE tunnel --> netwap --> fwmark --> LVS --> proxy

How many devices are we talking about including Phone and proxy?

>  2. proxy responds with SYN,ACK;
>  3. phone sends ACK;

Beautiful, if this goes through LVS, it's already a big step towards a 
correctly working LVS.

>  4. phone sends HTTP GET request;
>  5. proxy ACKs packet 4;

Only ACK? No data?

>  6. proxy sends HTTP data packet;
>  7. proxy sends another HTTP data packet;
>  8. proxy sends FIN packet;
> 
>  weird things starts here
> 
>  9. phone once more sends ACK packet acknowledging packet 2 (duplicate 
> of packet 3);

Does the proxy have SACK/FACK support enabled?

>  10. and one more dupe of packet 3;
>  11.-14. proxy repeats packet 6. 4 times.

It has to. Is ECN enabled?

>  The problem is that LVS does not pass packets 11. to 14. to phone. Why?

Because packet 8 was FIN and LVS is not stateful with regard to TCP 
sessions and retransmits.

>  In case of DNAT packets 11.-14. are passed to phone which at the end 
> acknowledges packets 6. and 7. and then acknowledges packet 8. thus 
> closing TCP connection.

Here I don't follow your statements, sorry.

Regards,
Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc