[lvs-users] IPVS with SNAT support on the kernel 2.6.36 + iptables v1.4.10

Julian Anastasov ja at ssi.bg
Wed Dec 15 00:28:17 GMT 2010


On Mon, 13 Dec 2010, Patrick Schaaf wrote:

> I just also tried 2.6.37-rc5. The same setup that was working on
>, although not with SNAT, is now completely broken.
> The SYN ACK back from the real server to the client, now hits the
> FORWARD chain, but without a conntrack in place (stateful
> ESTABLISHED,RELATED match does not trigger), thus the SYN ACK is
> dropped. Here is a LOG output at that point:
> Dec 13 11:29:34 gw1 kernel: [   72.972821] LRD IN=br0.2 OUT=br0.178
> PHYSIN=eth0.2 SRC= DST= LEN=52 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=44202 WINDOW=5840 RES=0x00
> corresponding ipvsadm -lcn (different run, thus different ports/realip):
> TCP 00:50  SYN_RECV
> There is no corresponding conntrack visible, as far as I can see.

 	2.6.37-rc1 comes with new sysctl var "conntrack",
so that IPVS conns can use, update and keep conntracks.
This support is automatically enabled for FTP connections because
2.6.36 comes with such requirement. If not enabled, the
conntracks are destroyed after packet is forwarded.

 	You are not using ip_vs_ftp and I'm not sure if you
configured CONFIG_IP_VS_NFCT in 2.6.37-rc5. While
2.6.36 uses conntracks by default, 2.6.37-rc1 makes
it optional, so you should enable CONFIG_IP_VS_NFCT if
CONFIG_IP_VS_FTP did not enabled it already.

> Under, there is also no conntrack visible, but the connection
> becomes ESTABLISHED and works.

 	Hm, I think IPVS should keep conntracks in 2.6.36.
It seems conntracks are destroyed for some reason, may be
missing netfilter module? You can check this file for more info:


 	One part is for old kernels, some details are for
recent ones. Note that all/rp_filter=1 can cause problems
for setups with DEV/rp_filter=0. Latest kernels change
the rp_filter formula from AND to MAX.


Julian Anastasov <ja at ssi.bg>

More information about the lvs-users mailing list