On Friday 18 April 2008 16:14:29 Julian Anastasov wrote: > Hello, > > On Thu, 17 Apr 2008, Jason Stubbs wrote: > > On further investigation, the behaviour is the same regardless of whether > > it is a VIP or a real host. When a SYN_SENT state exists traffic doesn't > > flow. However, if there is no state and an ACK (no SYN) packet arrives, > > an ESTABLISHED entry is created such as: > > This conntrack does not look good, dst=192.168.1.3 in > original direction is RIP instead of VIP. That is because this testing was done by accessing the host's IP directly. > > After this the connection can complete normally. I wonder if this is not > > a bug in conntrack handling? It doesn't seem right to me. > > loose flag has different prurpose: > > /* If it is set to zero, we disable picking up already established > connections. */ > static int nf_ct_tcp_loose __read_mostly = 1; This is what I was testing. I wasn't aware of the flag until just a couple of hours ago. With outgoing packets leaving via a different gateway and connection tracking enabled and --state NEW rules in place, the following happens: 1. client sends SYN 2. director sets up SYN_SENT state and forwards SYN 3. server receives SYN 4. server sends SYN/ACK via other gateway 5. client receives SYN/ACK and sends ACK 6. director sees SYN_SENT entry without a SYN/ACK and blocks ACK (4-6 are repeated a few times as server assumes the SYN/ACK got lost) 7. SYN_SENT entry times out and is deleted on the director 8. server sends SYN/ACK via other gateway 9. client receives SYN/ACK and sends ACK 10. director assumes an active connection and creates an ESTABLISHED entry 11. traffic flows fine until the end of the connection Not being aware of the tcp_loose setting, steps 8-11 were confusing to me which is why I was testing direct access to the server. Behaviour with a VIP is the same. Conntrack entries with both LVS-NAT and LVS-DR (when the director is also the return gateway) look like this: ipv4 2 tcp 6 431996 ESTABLISHED src=192.168.0.104 dst=192.168.0.7 sport=35235 dport=80 packets=3 bytes=176 src=192.168.0.7 dst=192.168.0.104 sport=80 dport=35235 packets=1 bytes=60 [ASSURED] mark=0 use=1 iptables rules are: # iptables -A FORWARD -p tcp -d 192.168.0.7 --dport 80 \ -m state --state NEW -j ACCEPT # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -P FORWARD DROP -- Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx> LINKTHINK INC. 東京都渋谷区桜ヶ丘町22-14 N.E.S S棟 3F TEL 03-5728-4772 FAX 03-5728-4773 -- To unsubscribe from this list: send the line "unsubscribe lvs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html