On Thu, Aug 27, 2015 at 12:57:42PM +0200, Arturo Borrero Gonzalez wrote: > Hi, > > The documentation about DisableExternalCache reads: > > <<< > [...] > You can also use this option with the NOTRACK and ALARM modes. > This increases CPU consumption in the backup firewall but now you do not > need to commit the flow-states during the master failures since they are > already in the in-kernel Connection Tracking table. Moreover, you save > memory in the backup firewall since you do not need to store the > foreign flow-states anymore. > >>> > > However, the config parser doesn't allows it. Patch seems rather trivial: > > diff --git a/src/read_config_yy.y b/src/read_config_yy.y > index 73fabbf..d53aa70 100644 > --- a/src/read_config_yy.y > +++ b/src/read_config_yy.y > @@ -908,6 +908,7 @@ sync_mode_alarm_line: refreshtime > | purge > | relax_transitions > | delay_destroy_msgs > + | disable_external_cache > ; > > sync_mode_ftfw_list: > > > However, there seems to be some missing bits somewhere, the backup > node prints this in the logs: > > [...] > [Thu Aug 27 12:49:46 2015] (pid=15176) [ERROR] inject-add2: No such > file or directory > Thu Aug 27 12:49:46 2015 tcp 6 17949 ESTABLISHED > src=192.162.26.14 dst=192.168.5.134 sport=39089 dport=2015 [ASSURED] > mark=0 > [Thu Aug 27 12:49:56 2015] (pid=15176) [ERROR] inject-add2: No such > file or directory > Thu Aug 27 12:49:56 2015 tcp 6 17949 ESTABLISHED > src=192.162.26.14 dst=192.168.5.134 sport=39089 dport=2015 [ASSURED] > mark=0 > [...] > > Note, always the same connection. In my busy test environment, this > ENOENT happens every few seconds Perhaps a race condition somewhere? > > I would appreciate any hint/advice/pointer. Are these FTP data flows? I'm asking this because the master connection (control flow) may be missing in the conntrack table, thus the ENOENT error. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
