On Thursday 17 April 2008 12:25:54 Jason Stubbs wrote: > On Wednesday 16 April 2008 18:10:52 Julian Anastasov wrote: > > It is interesting what is -m state in Netfilter when > > no replies are forwarded for LVS-DR setups, replies go directly > > from real server to client. Are you sure long established connections > > do not timeout shorter due to bad state in netfilter? May be > > conntrack_tcp will be confused that only one direction works? > > This is currently working, but shouldn't be. When forwarding to a regular > server via the LVS box, a conntrack entry in the SYN_SENT state is set up > and no further traffic is allowed. When forwarding for a VIP, traffic is > flowing through regardless of whether there's a conntrack entry or not. It > must be something that ip_vs_out is doing so I'll look into it a little > more and try to fix it. On further investigation, the behaviour is the same regardless of whether it is a VIP or a real host. When a SYN_SENT state exists traffic doesn't flow. However, if there is no state and an ACK (no SYN) packet arrives, an ESTABLISHED entry is created such as: ipv4 2 tcp 6 431996 ESTABLISHED src=192.168.0.104 dst=192.168.1.3 sport=20001 dport=80 packets=1 bytes=54 [UNREPLIED] src=192.168.1.3 dst=192.168.0.104 sport=80 dport=20001 packets=0 bytes=0 mark=0 use=1 After this the connection can complete normally. I wonder if this is not a bug in conntrack handling? It doesn't seem right to me. -- Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx> LINKTHINK INC. 東京都渋谷区桜ヶ丘町22-14 N.E.S S棟 3F TEL 03-5728-4772 FAX 03-5728-4773 -- To unsubscribe from this list: send the line "unsubscribe lvs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
