Thomas Pedoussaut wrote: > I came across a very strange problem. > I'm replying here to have a track in archive in case someone else has the same issue. > For one of my dozen of services ( a straight TCP connection), the > TCP-FIN packets that are arriving on the load balancer are never passed > to the real server. > > I activated the logs of iptable and could see the FIN packets being dropped. > No idea why the FIN are dropped and not the other ones. I obviously have > the --state ESTABLISHED,RELATED -j ACCEPT in my iptable rules. > Basically, all packets (SYN and non-SYN) are allowed by the "--state NEW" iptables but not by the ESTABLISHED,RELATED, because the director never sees the replies from the real server and so never creates a conntrack for that connection. When a FIN packet arrives, it is not validated as a --state NEW, because it's flag FIN is activated and so, that particular packet is dropped.
> I had a quick look at /proc/net/ip_conntrack before, during and after > the connection but nothing specific to that connection seems to be > inserted (the module is loaded and other traffic gets tracked). > So the solution is to change the iptables rule from -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $VPORT -j ACCEPT to -A RH-Firewall-1-INPUT -m tcp -p tcp --dport $VPORT -j ACCEPT > Google doesn't really help. Someone had a similar problem last year but > was never publicly solved. > And now I hope this post will get crawled and indexed. -- Thomas Pedoussaut http://www.synerginetworking.com/blog/ _______________________________________________ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users