[lvs-users] Firewall on LVS NAT

Chris Chen chchen at pdx.edu
Mon Aug 9 17:36:47 BST 2010


Say, I've got a question--

Do you see this behavior with LVS-DR as well? I've got a few -DR  
directors running RHEL4 and RHEL5 that are causing all sorts of  
trouble with windows 7 hosts, and ACK FIN/ACK RST with SSL  
handshakes--these problems seem to go away in testing with LVS-NAT,  
but if you're having trouble with NAT in production, part of me is  
wondering if we're heading down another dark path...

Cheers

cc

-- 
Chris Chen <chchen at pdx.edu>
UNIX Systems Administrator
Office of Information Technologies
Portland State University


Quoting Brent Jensen <brent at jeneral.com>:

> I'm using ip_conntrack so it's
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal (or sysctl equiv).
>
> That didn't seem to change the remaining drops.
>
> Thanks,
>
> Brent
>
>
> At 09:01 AM 8/9/2010 -0500, you wrote:
>> Brent, did you set this value (it might be different on CentOS stock, I'm
>> running 2.6.27):
>>
>> net.netfilter.nf_conntrack_tcp_be_liberal = 1
>>
>> That might resolve the remainder of your dropped FIN/RST.
>>
>> Jason Faulkner
>> Linux Engineer, Rackspace Email & Apps
>> jason.faulkner at rackspace.com
>> o: (540) 443-2101 (ex. 505-2101)
>>
>>
>> > -----Original Message-----
>> > From: lvs-users-bounces at linuxvirtualserver.org [mailto:lvs-users-
>> > bounces at linuxvirtualserver.org] On Behalf Of Brent Jensen
>> > Sent: Monday, August 09, 2010 12:26 AM
>> > To: LinuxVirtualServer.org users mailing list.
>> > Subject: Re: [lvs-users] Firewall on LVS NAT
>> >
>> > Update: The NFCT patch greatly reduced the dropped ACK FIN & ACK RST.
>> > There still are a few so I don't know what is causing this, but  
>> it is small
>> > compared to what I was getting before. Those users who had terrible
>> > connection problems seem to have no problems at all now. So thanks Jay for
>> > heading me in the right direction. For some reason this didn't appear
>> to be as
>> > big of a problem in kernel 2.4.x, although it still might have existed.
>> >
>> > I also ran across a script from Golan Zakai
>> > http://golanzakai.blogspot.com/2010/07/julians-nfct-patch-on-centos.html
>> > that greatly automates the custom kernel build in Centos 5.
>> >
>> > Thanks for all of your help,
>> >
>> > Brent
>> >
>> > At 12:39 PM 8/6/2010 -0600, you wrote:
>> >
>> > >Thanks for the heads up. I'll have to brush up on my kernel hacking
>> > >skills. Has anyone been able to successfully run LVS-NAT with stateful
>> > >firewall w/o the patch using a stock kernel (e.g. Centos 5)? Thanks,
>> > >Brent
>> > >
>> > >On Fri, 6 Aug 2010 08:51:25 -0500, Jay Faulkner
>> > ><jay.faulkner at mailtrust.com> wrote:
>> > > > -----Original Message-----
>> > > > From: lvs-users-bounces at linuxvirtualserver.org
>> > > > [mailto:lvs-users-bounces at linuxvirtualserver.org] On Behalf Of Brent
>> > >Jensen
>> > > > Sent: Friday, August 06, 2010 12:29 AM
>> > > > To: LinuxVirtualServer.org users mailing list.
>> > > > Subject: Re: [lvs-users] Firewall on LVS NAT
>> > > >
>> > > > More info. I now realize that these dropped packets are FIN and RST
>> > > > ACKs
>> > >
>> > > > being blocked, probably because my rules to the VIP include: -m
>> > > > state --state NEW -j ACCEPT. Can these dropped packets affect the
>> > > > TCP connections, resulting in client connection issues?
>> > > >
>> > > >
>> > > >
>> > > > Brent,
>> > > >
>> > > > I feel particularly sad for you, I had to troubleshoot this same
>> > > > issue
>> > >and
>> > > > had a very, very bad week.
>> > > >
>> > > > In my environment, I was able to fix the problem by recompiling my
>> > >kernel
>> > > > with Julian's NFCT patchset: http://www.ssi.bg/~ja/nfct/ (something
>> > >similar
>> > > > to this will be in 2.6.36, Hooray!). I'm not sure exactly why it
>> > >happens,
>> > > > but I suspect that iptables can't get a good take on the "STATE" of
>> > > > a connection in LVS, because LVS partially bypasses netfilter.
>> > > >
>> > > > Give it a shot and let me know how it works.
>> > > >
>> > > > --
>> > > > Jason Faulkner
>> > > > Linux Engineer
>> > > > Rackspace Email & Apps
>> > > >
>> > > > _______________________________________________
>> > > > Please read the documentation before posting - it's available at:
>> > > > http://www.linuxvirtualserver.org/
>> > > >
>> > > > LinuxVirtualServer.org mailing list -
>> > > > lvs-users at LinuxVirtualServer.org Send requests to
>> > > > lvs-users-request at LinuxVirtualServer.org
>> > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>> > >
>> > >_______________________________________________
>> > >Please read the documentation before posting - it's available at:
>> > >http://www.linuxvirtualserver.org/
>> > >
>> > >LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>> > >Send requests to lvs-users-request at LinuxVirtualServer.org
>> > >or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>> >
>> >
>> > _______________________________________________
>> > Please read the documentation before posting - it's available at:
>> > http://www.linuxvirtualserver.org/
>> >
>> > LinuxVirtualServer.org mailing list -  
>> lvs-users at LinuxVirtualServer.org Send
>> > requests to lvs-users-request at LinuxVirtualServer.org
>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>> Send requests to lvs-users-request at LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>








More information about the lvs-users mailing list