Hi On Tue, 2013-02-05 at 20:45 +0400, Dmitry Akindinov wrote: > We have met a quite troublesome situation which causes an internal SYN > storm.
I documented this some time ago on this list, but will offer the solution that I came up with at the time - which coincidentally I gave to you as a possible solution to a separate problem you were having last year :) As you say, in a system where there is a multi-director setup (with or without connection table synchronisation) it is possible for a packet to hit one director and then "ping-pong" between two (or more) directors causing a network storm. My solution to this was to use the iptables MARK module to apply an fwmark value to incoming traffic on the directors which is NOT from the MAC address of the other director(s) in the system, and then setup the LVS using the ipvsadm -f parameter to match those packets. This way the incoming packets from the upstream router are marked, but those being sent from the other director are not. In turn, those from the upstream router are then handled using LVS; those from the other director are not. It may not be terribly elegant, and it may not scale easily across more than three directors - but it does work. http://archive.linuxvirtualserver.org/html/lvs-users/2012-08/msg00014.html Graeme _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
