Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
Andreas Hofmeister <andi at collax.com> wrote: > On 17.05.2011 18:19, Herman wrote: >> I made a change to IPTables, and did a "service iptables restart", and >> next thing I knew, I had a split brain. > I would guess that the RHEL FW setup flushes the connection tracking > tables and has a default drop (or reject) rule. > > This would cause DRBDs TCP connections to time out eventually. Also, > neither OCFS nor DLM react kindly when their communication link goes down. > > Try to keep the FW setup from unloading the "nf_conntrack" module or > otherwise fiddle with connection tracking. This should prevent any harm > in the FW restart case. > > In addaditon, if you expect any prolonged FW downtime to happen (for > example: FW stop, explain situation to your boss, FW start), you may > also like the usual "stateful accept" rule > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > to be present during the FW downtime. Thanks for the advice, it's too bad that in RHEL 6.0, /etc/init.d/iptables doesn't implement the "reload" command (says "unimplemented"). I'd guess that "reload" (if it was working) ought to do something like what you suggest, as... Looks like that "restart" argument does a "stop" which does unload all the modules by default. It seems that I can modify the script to set IPTABLES_MODULES_UNLOAD="no", which seems to allow restarting without unloading the modules, which might solve the problem. Thanks! Herman