[lvs-users] Iptables find invalid packets
windo at p6drad-teel.net
Mon Jul 21 16:22:28 BST 2008
Dimitri GOURDON wrote:
> A lot of TCP packets with FIN or RST flags (all I think) are dropped by
> Iptables as state INVALID. The consequence is that I have a lot of
> connection in FIN_WAIT state (shown by netstat) on the 2 web servers...
I had a similar problem, so I first tried to use the nfct patches to
export IPVS state to netfilter for accurate stateful matching, but that
required tuning conntrack timers, so I wrote an iptables module to match
ipvs packets directly instead (You'd have to recompile kernel/iptables
to use it though):
It seems to work rather well - still some IVALID packets, but I think
those are mainly casued by long and lossy connections (retransmissions).
> I have reproduced this on my lab...
> I have sniff packets with tcpdump to see flags, ACK number,... I've
> found nothing bad.
Are all FINs (and RSTs) blocked or only the first ones? To close a
connection, both client and server must send a FIN - does neither of
them get through?
> I have tried to accept these packets with Iptables and then, all my
> connections are terminated in a normal way (only 1-2 connection(s) stay
> in FIN_WAIT on web servers).
The problem (sort of) is that LVS code isn't really very well integrated
with netfilter code. This allows for IPVS to work faster, but causes
these kinds of problems as well.
More information about the lvs-users