Pablo, Pablo Neira Ayuso wrote: > Hm, the new script does exactly the same when the node becomes primary > as it used to do script_master.sh, so I cannot find a reason why the new > script does it worst. It does worse than my own script (with the horrible workaround). It does equally good as your original script. > During the fail-over, keepalived recovers the virtual IPs and conntrackd > commits the states into the kernel. The commit takes very short but you > can still lose some packets if the state is not yet present in the > kernel - thus, these packets are logged as invalid and dropped as we > don't find any matching state (with a sane stateful rule-set, of > course). *However*, the TCP sessions should recover as the peer or the > server retransmits the packet in short, so I don't understand why you > lose nearly all the sessions. Agreed. My problem is, it doesn't recover. It keeps dropping packets as long as the test runs (the test stops at some point in time with socket timeouts). > Is the firewall sending RST packets to the peer/server to close > connections? If so, I remember a similar report with a RHEL kernel: Will check tomorrow. > conntrack -F should be enough, there's something wrong in the kernel. > There were other issues related with nat. This is happening entirely without NAT. And it is only appearing while using conntrackd and doing a failover. With a standalone firewall, I cannot reproduce this behavior. I haven't tested any other software using netlink, like e.g. ULOG, though. Best regards Bernhard -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
