[DRBD-user] Conflict between drbd and iptables

CHARTON Yannick yannick.charton at utt.fr
Wed Aug 2 10:26:35 CEST 2006

Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.


Hi,

I'm using drbd 0.7.17 to synchronise two nodes (running on Red Hat 
Entreprise Linux 4) with a dedicated gigabyte link between the two 
nodes.
All drbd.conf parameters are set to very common values.

My problem seems to be a conflict between drbd and the iptables firewall :

My iptables configuration on the two nodes includes the line :
-A RH-Firewall-1-INPUT -s NODE_IP_ADDRESS -p tcp --dport 7789 -j ACCEPT

When I start the two nodes, there is no problem. However, when I 
restart the firewall on the secondary node, I receive a flow of 
messages :
kernel: drbd0: [kjournald/2927] sock_sendmsg time expired, ko = 4294967295
kernel: drbd0: [kjournald/2927] sock_sendmsg time expired, ko = 4294967294
...
And the web services (apache) are unavailable.

I tested without iptables, then with iptables on the primary node (and 
tried to start and restart iptables service). No problem. But when I 
tried to start iptables on the second node, I received the message flow 
on the first node (and nothing in the log of the second node). I have 
to stop the drbd service on the secondary, then to restart the service, 
and all the systems fonction right again.

I will try to reproduce the problem with a test architecture (I don't 
have a full time access to the servers, and I prefered to stop iptables 
service while I work on a solution). Unfortunately, I have no logs 
about packets which are droped by iptables, but I will add it on my 
test architecture.

However, if you have an idea, if you already met this problem, or 
simply if you can help me, your help will be very precious !

Thank you very much !

Yannick CHARTON





More information about the drbd-user mailing list