[netfilter-cvslog] r4083 - branches/netfilter-ha/linux-2.6

laforge at netfilter.org laforge at netfilter.org
Wed Jun 29 14:02:30 CEST 2005


Author: laforge at netfilter.org
Date: 2005-06-29 14:02:29 +0200 (Wed, 29 Jun 2005)
New Revision: 4083

Modified:
   branches/netfilter-ha/linux-2.6/README
Log:
add note about TCP window tracking and update recent changes with regard
to connmark


Modified: branches/netfilter-ha/linux-2.6/README
===================================================================
--- branches/netfilter-ha/linux-2.6/README	2005-06-29 11:49:25 UTC (rev 4082)
+++ branches/netfilter-ha/linux-2.6/README	2005-06-29 12:02:29 UTC (rev 4083)
@@ -181,15 +181,15 @@
 This is usually the suggested mode of operation.
 
 
-4. Marking traffic to be replicated
+4. OPTIONAL: Marking traffic to be replicated
 -----------------------------------
 
-If CONNMARK support is enabled in the kernel config then ct_sync does not
-replicate all conntrack entries, only those which have a special bit set
-in their connection mark field. For example: you usually don't need your
-administrative SSH connections to be replicated. You must use the CONNMARK
-target to mark important connections. For example, this command restores
-the old way of operation, and marks every connection:
+Optionally, if CONFIG_IP_NF_CONNTRACK_SYNC_MARKED is enabled in the kernel
+config then ct_sync does not replicate all conntrack entries, only those which
+have a special bit set in their connection mark field.  For example: you
+usually don't need your administrative SSH connections to be replicated. You
+must use the CONNMARK target to mark important connections. For example, this
+command restores the old way of operation, and marks every connection:
 
 # iptables -t mangle -A PREROUTING -m state --state NEW \
 > -j CONNMARK --set-mark 0x40000000/0x40000000
@@ -229,7 +229,21 @@
 The `syncdev' parameter is mandatory, ct_sync won't load unless you
 specify it. All the others are completely optional.
 
+5a. Prevent interaction between TCP window tracking and ct_sync
+---------------------------------------------------------------
 
+Since with tcp window tracking, every packet updates the receive window
+of a TCP connection, it is not feasible to replicate all the window tracking
+information in an efficient way.
+
+Therefore, you currently need to do 
+
+# echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+
+on the slave nodes in order to disable window tracking.  You can do this at
+bootup time, or in a script _before_ the slave transitions into active (master)
+state.
+
 6. Initiating state transitions using the /proc interface
 ---------------------------------------------------------
 




More information about the netfilter-cvslog mailing list