On Thu, Aug 30, 2012 at 07:49:24PM +0200, Oliver wrote: > On Thursday 30 August 2012 18:22:48 you wrote: > > Unfortunately, asymmetric active-active is a crazy setup for conntrack > > (documentation already discuss this). The state synchronization that > > we are doing is asynchronous, so state-updates race with TCP packet. > > We don't support this, sorry. > > The environment does fulfil the assumptions necessary for replication to happen > within the handshake so under 3.2 there is no issue with handshakes completing > under an asymmetric path. Interesting, how are those assumptions fulfilled? > Nonetheless, what doesn't make sense is that this operates under 3.2 and not > 3.4 - also is the fact that having a "-j CT --notrack" on specific traffic (i.e. > asymmetric should not matter because there is no stateful tracking) Agreed. But I don't come with any netfilter change that may result in that problem you're reporting. You'll have to debug this and get back to me with more information. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
