Andreas Hofmeister <[email protected]> wrote:
On 17.05.2011 18:19, Herman wrote:
I made a change to IPTables, and did a "service iptables restart", and
next thing I knew, I had a split brain.
I would guess that the RHEL FW setup flushes the connection tracking
tables and has a default drop (or reject) rule.
This would cause DRBDs TCP connections to time out eventually. Also,
neither OCFS nor DLM react kindly when their communication link goes down.
Try to keep the FW setup from unloading the "nf_conntrack" module or
otherwise fiddle with connection tracking. This should prevent any harm
in the FW restart case.
In addaditon, if you expect any prolonged FW downtime to happen (for
example: FW stop, explain situation to your boss, FW start), you may
also like the usual "stateful accept" rule
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
to be present during the FW downtime.
Thanks for the advice, it's too bad that in RHEL 6.0,
/etc/init.d/iptables doesn't implement the "reload" command (says
"unimplemented"). I'd guess that "reload" (if it was working) ought to
do something like what you suggest, as...
Looks like that "restart" argument does a "stop" which does unload all
the modules by default. It seems that I can modify the script to set
IPTABLES_MODULES_UNLOAD="no", which seems to allow restarting without
unloading the modules, which might solve the problem.
Thanks!
Herman
_______________________________________________
drbd-user mailing list
[email protected]
http://lists.linbit.com/mailman/listinfo/drbd-user
