Re: Iptables find invalid packets

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Vladislav Kurz <vladislav.kurz@webstep.net>
To: Dimitri GOURDON <dgourdon@itool.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Iptables find invalid packets
Date: Mon, 21 Jul 2008 16:49:19 +0200	[thread overview]
Message-ID: <200807211649.20343.vladislav.kurz@webstep.net> (raw)
In-Reply-To: <48849F8F.70103@itool.com>

On Monday 21 of July 2008, you wrote:
> Vladislav Kurz a écrit :
> > On Monday 21 of July 2008, Dimitri GOURDON wrote:
> >> Hi all,
> >>
> >> I've setup LVS on a box using Keepalived (and Iptables) to load balance
> >> traffic between 2 web servers. I have a problem :
> >>
> >> A lot of TCP packets with FIN or RST flags (all I think) from clients
> >> are dropped by Iptables as state INVALID. The consequence is that I have
> >> a lot of connection in FIN_WAIT state (shown by netstat) on the 2 web
> >> servers...
> >
> > I have similar problem, and asked about it here. I was told to try newer
> > kernel (I run debian stable - 2.6.18). However I didn't upgrade yet, but
> > If you run the same kernel as I do and upgrade would help you I'd like to
> > here about that.
>
> I run 2.6.18-4-bigmem kernel. I've passed just a little to test a more
> recent but I stop because I've encountered problem with some iptables
> rules...

Temporary workaround is only to LOG invalid packets instead of DROP. The 
system then becomes quite usable. Anyway try newer kernel if you can.
Or describe more in detail what problems with what rules did you have.


-- 
regards
        Vladislav Kurz

next prev parent reply	other threads:[~2008-07-21 14:49 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-07-21 12:20 Iptables find invalid packets Dimitri GOURDON
2008-07-21 12:58 ` Bernhard Bock
2008-07-21 13:23   ` Dimitri GOURDON
     [not found]   ` <48849E47.30901@itool.com>
2008-07-21 14:39     ` Bernhard Bock
2008-07-21 15:01       ` Dimitri GOURDON
2008-07-21 15:44       ` Dimitri GOURDON
2008-07-21 16:02         ` Bernhard Bock
2008-07-21 13:06 ` Vladislav Kurz
     [not found]   ` <48849F8F.70103@itool.com>
2008-07-21 14:49     ` Vladislav Kurz [this message]
     [not found]       ` <4884A414.10408@itool.com>
2008-07-21 15:11         ` Vladislav Kurz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200807211649.20343.vladislav.kurz@webstep.net \
    --to=vladislav.kurz@webstep.net \
    --cc=dgourdon@itool.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox