On Tue, Sep 23, 2008 at 3:21 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Tuesday 2008-09-23 09:13, Julius Volz wrote: >> >>Ok, the SYN/ACK from the backend is logged as --cstate INVALID in >>PREROUTING and INPUT. This means that Netfilter thinks it doesn't >>belong to any connection, although it just SNATed the SYN to the >>backend correctly? Hmm... how can this be? > > That probably means skb->nfct is lost (set to NULL, which is what INVALID > indicates) after SNAT (PREROUTING), when IPVS kicks in. But at PREROUTING, the skb hasn't seen any part of IPVS yet. And the prior SNAT for the SYN packet happened in POSTROUTING after all of IPVS was finished. Basically, there should be no IPVS involved from the time that the SYN is correctly SNATed and the time that the SYN/ACK is not. Please correct me if I'm missing something here... Julius -- Julius Volz - Corporate Operations - SysOps Google Switzerland GmbH - Identification No.: CH-020.4.028.116-1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html