Hi, I have a Linux netfilter cluster with keepalived to perform high avalaibility. The master runs a 2.6.12 kernel and the Backup runs a 2.4.26 kernel. ( both from kernel.org without patch ) I have the same iptables config on firewalls ( Only usefuls rules are pasted below ) : -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j drop_invalid -A FORWARD -m state --state INVALID -j drop_invalid -A OUTPUT -m state --state INVALID -j drop_invalid -A drop_invalid -j LOG --log-prefix "INVALID state -- DENY " --log-level 7 -A drop_invalid -j DROP --- -A INPUT -d 10.24.240.0/255.255.248.0 -m state --state NEW -j ACCEPT -A INPUT -s 10.24.240.0/255.255.248.0 -m state --state NEW -j ACCEPT -A OUTPUT -d 10.24.240.0/255.255.248.0 -m state --state NEW -j ACCEPT -A OUTPUT -s 10.24.240.0/255.255.248.0 -m state --state NEW -j ACCEPT -A FORWARD -d 10.24.240.0/255.255.248.0 -m state --state NEW -j ACCEPT -A FORWARD -s 10.24.240.0/255.255.248.0 -m state --state NEW -j ACCEPT --- When I swap all the connections on the backup firewall with stopping keepalived daemon on master, the connections are correctly forwarded through the backup and I can see the new entry in /proc/net/ip_conntrack ( This is a VNC stream , the connexion is never Idle so the sequence number is increasing quickly ) BUT when i restart the keepalived daemon to make connection go back through the master firewall 30 seconds after the first swap, i get the following logs : INVALID state -- DENY IN=eth0.730 OUT=eth0.732 SRC=172.18.130.194 DST=10.24.247.253 LEN=46 TOS=0x00 PREC=0x00 TTL=126 ID=46274 DF PROTO=TCP SPT=1522 DPT=5901 WINDOW=17520 RES=0x00 ACK PSH URGP=0 INVALID state -- DENY IN=eth0.732 OUT=eth0.730 SRC=10.24.247.253 DST=172.18.130.194 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=30732 DF PROTO=TCP SPT=5901 DPT=1522 WINDOW=5840 RES=0x00 ACK URGP=0 INVALID state -- DENY IN=eth0.732 OUT=eth0.730 SRC=10.24.247.253 DST=172.18.130.194 LEN=1040 TOS=0x00 PREC=0x00 TTL=63 ID=30733 DF PROTO=TCP SPT=5901 DPT=1522 WINDOW=5840 RES=0x00 ACK PSH URGP=0 INVALID state -- DENY IN=eth0.730 OUT=eth0.732 SRC=172.18.130.194 DST=10.24.247.253 LEN=46 TOS=0x00 PREC=0x00 TTL=126 ID=46276 DF PROTO=TCP SPT=1522 DPT=5901 WINDOW=17520 RES=0x00 ACK PSH URGP=0 But the connection is still present in /proc/net/ip_conntrack : tcp 6 431933 ESTABLISHED src=172.18.130.194 dst=10.24.247.253 sport=1522 dport=5901 src=10.24.247.253 dst=172.18.130.194 sport=5901 dport=1522 [ASSURED] use=1 When I swap the master with the backup it works correctly. ( 2.4.26 -> 2.6.12 -> 2.4.26 instead of 2.6.12 -> 2.4.26 -> 2.6.12 ) It seems that 2.6.12 is checking TCP sequence number for conntracking ... but I don't use patch-o-matic. This configuration works well with 2 firewall with 2.4.26 kernel Any ideas ? Regards, --- Pierre Westeel
