2013/2/25 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>: > On Fri, Feb 22, 2013 at 11:12:55AM +0100, Marco wrote: > [...] >> > In your previous config, assuming you use a 3.x kernel, I saw you did >> > not enabled TCPWindowTracking On. That allows the new primary to >> > recover TCP window tracking from the middle. >> >> Unfortunately, the system where this will run has a 2.6.32 kernel, so >> this is not an option for the moment. > > I really recommend you to upgrade to some stable branch of 3.x. Many > relevant updates and fixes went into the ctnetlink code since that > version you're using. Ok, I've finally found some time to set this up. Now I'm using kernel 3.7.10, keepalived 1.2.2 and contrack-tools 1.4.0, with "TCPWindowTracking On". I'm sorry to report that I'm still seeing the original behavior (ie firewall sends RST to origin server and client hangs). > [...] >> Well, the docs mention window tracking here and there, but (at least >> to me) it's not clear what that does, and that it's (or could be) the >> solution to this problem I'm seeing. >> Furthermore, I found no documentation or explanation of >> nf_conntrack_tcp_be_liberal on google, neither it is in the sysctl.txt >> file that documents the /proc/sys/net entries, nor anywhere else. > > http://git.kernel.org/?p=linux/kernel/git/davem/net-next.git;a=blob;f=Documentation/networking/nf_conntrack-sysctl.txt;h=70da5086153dbd24a9c9258e73cc16440d247519;hb=HEAD Thanks! Hopefully at some point it will be published in some place where search engines can find it (the obvious place seems to be https://www.kernel.org/doc/Documentation/networking/, where it still isn't visible).. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
