Hi, > Allow me to guess what happens. > A SYN packet starting a new connection is received by the load-balancer. > It contains no data, so it cannot match the NOTRACK rule. The conntrack > creates a new entry for that connection. Then the packet - and the whole > connection - is DNATed to one web server, and the conntrack entry is updated > accordingly. This means that all subsequent incoming packets identified by the > conntrack as belonging to that connection will be DNATed to the same web server. > The 3-way TCP handshake (SYN/ACK from the server, ACK from the client) completes. > Then comes the packet carrying the HTTP request containing the string. This packet is > UNTRACKED, so it is not DNATed and reaches the TCP layer of the load balancer. > But it is not a SYN packet, and it does not match any local socket because the local > TCP layer did not see the 3-way handshake. So it is dropped, maybe triggering a TCP > RST packet back to the client (not sure about that). You are absolutely right (including the RST part). Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
