Bernhard Bock wrote: >> 1) does /var/log/conntrackd.log - or syslog - tells anything relevant? >> Are the entries being comitted to kernel-space successfully? > > according to both conntrackd.log and syslog, entries are being commited. > I see no relevant negative entries in both logs (except of course the > INVALID packets). > >> 2) Can you see the committed entries in the kernel via `conntrack -L' >> after the fail-over? > > yes. > >> 3) Are you noticing any abnormal CPU consumption? > > no. Is there any pattern in the invalid log messages that your rule-set matches during the fail-over? Are the packets hitting invalid or new-not-syn in your rule-set? Can you check if the packets that are logged as invalid have a state-entry? Just take one of the log messages and do `conntrack -L -p tcp --dport XYZW' to check if there is a state-entry about that connection while it keeps logging the packet as such state-entry would not exist. Are you noticing state-entries marked as UNREPLIED in TCP states != SYN_SENT? -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
