Hello,
Jan Engelhardt a écrit :
I am running iptables and lvs on two boxes loadbalancing http[s] and ssh
traffic to two real servers.
Everything is working just fine from the users point of view. However,
I keep seeing a lot of dropped packets of type ack/fin and ack/rst in
my iptables log. Seems like the connection tracking isn't working the
way I expect it to.
RST-ACK is received as a response to SYN to a closed port, and hence, is
not part of a connection.
At Netfilter connection tracking level, ACK/RST in response to SYN is
part of a connection and is supposed to be in the ESTABLISHED state,
even though at TCP level the connection is not established.
|