Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
You can reload firewall rules in iptables without doing a restart. Set up your rules in iptables-restore format, and then just cat <ruleset_filename> | iptables_restore. Sprinkle commit statements throughout the source deck and things should stay up quite well. For my firewall, I put a commit after each filter. I'll be happy to share the entire deck with you, but not on the list! Dan Excerpt here: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT ... COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport domain -d 69.172.20.226 -j DNAT --to-destination ... -A POSTROUTING -o eth0 -j SNAT --to-source 69.172.20.234 COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # .192 and up on Cable #-A PREROUTING -s 172.30.0.203/32 -p tcp -m tcp -m multiport --dports ssh -j RETURN -A PREROUTING -s 172.30.0.192/28 -j MARK --set-mark 0x1e ... COMMIT -----Original Message----- From: drbd-user-bounces at lists.linbit.com [mailto:drbd-user-bounces at lists.linbit.com] On Behalf Of Herman Sent: Wednesday, June 08, 2011 2:56 PM To: drbd-user Subject: Re: [DRBD-user] Restarting IPtables caused split-brain and OCFS2 corruption? <SOLVED, mostly> Sorry, meant to reply to this earlier. Thanks to Bart for the OCFS2 timeout settings. They were set to 2000ms; however, raising it to 10000ms didn't seem to make any difference for IPTables, but I think I may raise them in production anyways. Anyone know if there's any problems with raising this? >From Andreas suggestion for the unloading modules, I found the problem with RHEL6's iptables init.d script. It seems that by default, it unloads *all* modules when doing a restart. Thanks Andreas! There's a line that sets a variable in /etc/init.d/iptables which controls this: IPTABLES_MODULES_UNLOAD="yes" After changing this to "no", it doesn't have any problems with split-brain anymore. Still no luck on the OCFS2 corruption, but I guess I probably should ask the OCFS2 mailing list about that one. Thanks! Herman On Tue, 2011-05-17 at 22:47 +0100, bart at timedout.org wrote: > Herman wrote: > > I made a change to IPTables, and did a "service iptables restart", > > and next thing I knew, I had a split brain. > > Are you sure it was a split-brain on DRBD level, or perhaps OCFS2 > "freaked" out and nodes started fencing each other? > > Default OCFS2 cluster rules have quite low timeout levels -- I used to > have some problems with default settings even in active/standby mode. > > 'service o2cb status' should be able to tell you timeouts etc. If > it's going to be 2000ms, I would raise it to something around 10000ms > and try reloading firewall then. > > I have DRBD running on few nodes and reloading firewall, although I am > using filtergen -- so 'fgadm reload' -- never caused any issues with > neither DRBD nor OCFS2. _______________________________________________ drbd-user mailing list drbd-user at lists.linbit.com http://lists.linbit.com/mailman/listinfo/drbd-user