[lvs-users] IPVS/DR ip_conntrack: table full, dropping packet at squid server

Graeme Fowler graeme at graemef.net
Fri Jun 8 10:21:58 BST 2007 

On Fri, 2007-06-08 at 15:53 +0700, Wiboon Warasittichai wrote:
> Do I need to unload module ip_conntrack on all squid boxes?

Ideally, yes. Why do you have the conntrack module loaded in the first
place?

An alternative method, if you absolutely must keep the conntrack rules
in place, is to explicitly use the NOTRACK target on packets destined
for the Squid service.

On the director, as an example:

iptables -t raw -I PREROUTING -p tcp --dport 3128 -j NOTRACK

iptables -I INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

The first line will remove tracking from packets destined for TCP port
3128 on the director. You may need to also inlcude any reply packets
which traverse the director, but as you're using DR I think you can miss
that part.

Graeme

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list