Hello, We have an environment where a Linux machine/router that front-ends a number of back-end servers. There is a load balancing application to accept traffic on the router and distribute it to the back-end servers. For outbound traffic initiated from the back-end servers, a source nat is performed via iptables at the router and a single address on the router is presented to the outside machines. The iptable rules used are attached below. The rules allow inbound traffic on the router to be not tracked by netfilter notrack to optimize for performance. Only outbound traffic initiated from the backend servers and consequently routed via the router machine (and SNAT) are tracked. The problem noticed is that when large messages are sent from the back-end servers via the router, we see that the router every so often sends an RST to the back-end server during the transfer, which causes the back-end server's client program to receive broken pipes on its socket. This RST is initiated by the router running iptables, not by the remote servers on the other side of the connection. tcpdump shows that this happens most often when the remote end's window size tends to get full. At times it is fine and when the window opens up again, the transfer happens, but not always. Any idea why this may be happening? This router Linux machine is running a 2.6.21 kernel. bash-3.1# iptables-save # Generated by iptables-save v1.3.7 on Mon Mar 22 21:11:28 2010 *raw :PREROUTING ACCEPT [30095585851:23421235702709] :OUTPUT ACCEPT [17102137835:18546233922164] -A PREROUTING -d 10.19.146.20 -i bond2 -j NOTRACK -A PREROUTING -s 192.168.20.70 -j NOTRACK -A PREROUTING -d 192.168.20.70 -j NOTRACK -A PREROUTING -s 192.168.20.29 -j NOTRACK -A PREROUTING -d 192.168.20.29 -j NOTRACK -A OUTPUT -j NOTRACK COMMIT # Completed on Mon Mar 22 21:11:28 2010 # Generated by iptables-save v1.3.7 on Mon Mar 22 21:11:28 2010 *nat :PREROUTING ACCEPT [189571442:11375958098] :POSTROUTING ACCEPT [23:1524] :OUTPUT ACCEPT [23:1524] -A POSTROUTING -o bond2 -j SNAT --to-source 10.19.146.19 COMMIT # Completed on Mon Mar 22 21:11:28 2010 # Generated by iptables-save v1.3.7 on Mon Mar 22 21:11:28 2010 *filter :INPUT ACCEPT [23110551215:18872102517545] :FORWARD ACCEPT [6985407923:4549206337631] :OUTPUT ACCEPT [17102512004:18546293605454] COMMIT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
