[lvs-users] Firewall on LVS NAT

Jay Faulkner jay.faulkner at mailtrust.com
Mon Aug 9 15:01:05 BST 2010


Brent, did you set this value (it might be different on CentOS stock, I'm running 2.6.27): 

net.netfilter.nf_conntrack_tcp_be_liberal = 1

That might resolve the remainder of your dropped FIN/RST. 

Jason Faulkner
Linux Engineer, Rackspace Email & Apps
jason.faulkner at rackspace.com
o: (540) 443-2101 (ex. 505-2101)


> -----Original Message-----
> From: lvs-users-bounces at linuxvirtualserver.org [mailto:lvs-users-
> bounces at linuxvirtualserver.org] On Behalf Of Brent Jensen
> Sent: Monday, August 09, 2010 12:26 AM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: [lvs-users] Firewall on LVS NAT
> 
> Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST.
> There still are a few so I don't know what is causing this, but it is small
> compared to what I was getting before. Those users who had terrible
> connection problems seem to have no problems at all now. So thanks Jay for
> heading me in the right direction. For some reason this didn't appear to be as
> big of a problem in kernel 2.4.x, although it still might have existed.
> 
> I also ran across a script from Golan Zakai
> http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html
> that greatly automates the custom kernel build in Centos 5.
> 
> Thanks for all of your help,
> 
> Brent
> 
> At 12:39 PM 8/6/2010 -0600, you wrote:
> 
> >Thanks for the heads up. I'll have to brush up on my kernel hacking
> >skills. Has anyone been able to successfully run LVS-NAT with stateful
> >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks,
> >Brent
> >
> >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner
> ><jay.faulkner at mailtrust.com> wrote:
> > > -----Original Message-----
> > > From: lvs-users-bounces at linuxvirtualserver.org
> > > [mailto:lvs-users-bounces at linuxvirtualserver.org] On Behalf Of Brent
> >Jensen
> > > Sent: Friday, August 06, 2010 12:29 AM
> > > To: LinuxVirtualServer.org users mailing list.
> > > Subject: Re: [lvs-users] Firewall on LVS NAT
> > >
> > > More info. I now realize that these dropped packets are FIN and RST
> > > ACKs
> >
> > > being blocked, probably because my rules to the VIP include: -m
> > > state --state NEW -j ACCEPT. Can these dropped packets affect the
> > > TCP connections, resulting in client connection issues?
> > >
> > >
> > >
> > > Brent,
> > >
> > > I feel particularly sad for you, I had to troubleshoot this same
> > > issue
> >and
> > > had a very, very bad week.
> > >
> > > In my environment, I was able to fix the problem by recompiling my
> >kernel
> > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something
> >similar
> > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it
> >happens,
> > > but I suspect that iptables can't get a good take on the "STATE" of
> > > a connection in LVS, because LVS partially bypasses netfilter.
> > >
> > > Give it a shot and let me know how it works.
> > >
> > > --
> > > Jason Faulkner
> > > Linux Engineer
> > > Rackspace Email & Apps
> > >
> > > _______________________________________________
> > > Please read the documentation before posting - it's available at:
> > > http://www.linuxvirtualserver.org/
> > >
> > > LinuxVirtualServer.org mailing list -
> > > lvs-users at LinuxVirtualServer.org Send requests to
> > > lvs-users-request at LinuxVirtualServer.org
> > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
> >_______________________________________________
> >Please read the documentation before posting - it's available at:
> >http://www.linuxvirtualserver.org/
> >
> >LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> >Send requests to lvs-users-request at LinuxVirtualServer.org
> >or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> 
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org Send
> requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users




More information about the lvs-users mailing list