On 26/07/10 13:00, Jan Engelhardt wrote:
On Monday 2010-07-26 12:35, Pablo Neira Ayuso wrote:
On 25/07/10 18:34, Jan Engelhardt wrote:
On Wednesday 2010-07-14 00:18, Edison Figueira wrote:
I configured CLUSTERIP in two boxes to make balancing proxy, and
apparently it all worked but I get several messages from "CLUSTERIP:
no conntrack.
Does anyone know what this message means?
Means packets are tagged as INVALID.
Indeed. You have to add a rule to drop invalid packets before the CLUSTERIP
rule to avoid this message.
Hm, couldn't we just drop the message? There are many other components
in Netfilter that silently bail out when nf_ct_get returns NULL, like
xt_connlimit.
Yes, it's a good idea for the short run.
In the long run, we should deprecate CLUSTERIP since it has been
superseded by the cluster match. However, I wanted to document the new
approach before doing so (I found no spare time to do it).
IIRC, the message is only displayed if netfilter debugging is enabled.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
