Re: Netfilter cluster / Invalid state problem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira <pablo@eurodev.net>
To: Pierre Westeel <pierre.westeel@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Netfilter cluster / Invalid state problem
Date: Fri, 12 Aug 2005 03:43:49 +0200	[thread overview]
Message-ID: <42FBFED5.9060501@eurodev.net> (raw)
In-Reply-To: <da73b3d905081110475176121@mail.gmail.com>

Pierre Westeel wrote:
> I have a Linux netfilter cluster with keepalived to perform high avalaibility.
> The master runs a 2.6.12 kernel and the Backup runs a 2.4.26 kernel. (
> both from kernel.org without patch )
> 
> When I swap all the connections on the backup firewall with stopping
> keepalived daemon on master, the connections are correctly forwarded
> through the backup and I can see the new entry in
> /proc/net/ip_conntrack
> ( This is a VNC stream , the connexion is never Idle so the sequence
> number is increasing quickly )
> 
> BUT when i restart the keepalived daemon to make connection go back
> through the master firewall 30 seconds after the first swap, i get the
> following logs :
> 
> INVALID state -- DENY IN=eth0.730 OUT=eth0.732 SRC=172.18.130.194
> DST=10.24.247.253 LEN=46 TOS=0x00 PREC=0x00 TTL=126 ID=46274 DF
> PROTO=TCP SPT=1522 DPT=5901 WINDOW=17520 RES=0x00 ACK PSH URGP=

Try this:

# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

on the linux-2.6 box. See that later linux kernels 2.6 include TCP 
tracking active by default. Setting ip_conntrack_tcp_be_liberal to 1 
relaxes the in-window checkings. As you can figure out, if linux-2.6 
takes over, it won't know anything about the current active connections, 
so it will consider that they are invalid.

--
Pablo

     prev parent reply	other threads:[~2005-08-12  1:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-11 17:47 Netfilter cluster / Invalid state problem Pierre Westeel
2005-08-12  1:43 ` Pablo Neira [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42FBFED5.9060501@eurodev.net \
    --to=pablo@eurodev.net \
    --cc=netfilter@lists.netfilter.org \
    --cc=pierre.westeel@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.