Discussion:
[mb-bugs] [jira] Created: (MBH-403) Don't track internal connections
Ulrich Klauer (JIRA)
2015-03-23 17:11:58 UTC
Permalink
Don't track internal connections
--------------------------------

Key: MBH-403
URL: http://tickets.musicbrainz.org/browse/MBH-403
Project: MusicBrainz Hosting
Issue Type: Improvement
Components: Load balancing / Proxy
Reporter: Ulrich Klauer


Recently, the connection-tracking table capacity on the loadbalancer/router was exceeded, leading to connections being dropped. This caused all kinds of mysterious problems in various parts of MB, e.g. via internal DNS queries failing. It was resolved by increasing {{conntrack_max}} to some higher arbitrary value. If/when the load reaches that higher limit, the problem will resurface.

As internal connections (from something inside MB to something inside MB, using local IPs) don't need NATting or firewalling, it would make sense to exclude those connections from tracking. This would mean that they don't count to the maximum number of connections, but more importantly that if the tracking table gets filled up again and connections are being dropped, those internal connections won't be affected.

To this end, all that is needed should be an entry like this:
{code}
iptables -t raw -I PREROUTING -s 10.10.0.0/16 -d 10.10.0.0/16 -j NOTRACK
iptables -t raw -I OUTPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -j NOTRACK
{code}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tickets.musicbrainz.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Ulrich Klauer (JIRA)
2015-03-23 20:21:56 UTC
Permalink
[ http://tickets.musicbrainz.org/browse/MBH-403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=35994#action_35994 ]

Ulrich Klauer commented on MBH-403:
-----------------------------------

Ian mentioned that connections from rika are firewalled somewhat, so it may be necessary to exclude rika from the exclusion (i.e. still track those connections).
Post by Ulrich Klauer (JIRA)
Don't track internal connections
--------------------------------
Key: MBH-403
URL: http://tickets.musicbrainz.org/browse/MBH-403
Project: MusicBrainz Hosting
Issue Type: Improvement
Components: Load balancing / Proxy
Reporter: Ulrich Klauer
Recently, the connection-tracking table capacity on the loadbalancer/router was exceeded, leading to connections being dropped. This caused all kinds of mysterious problems in various parts of MB, e.g. via internal DNS queries failing. It was resolved by increasing {{conntrack_max}} to some higher arbitrary value. If/when the load reaches that higher limit, the problem will resurface.
As internal connections (from something inside MB to something inside MB, using local IPs) don't need NATting or firewalling, it would make sense to exclude those connections from tracking. This would mean that they don't count to the maximum number of connections, but more importantly that if the tracking table gets filled up again and connections are being dropped, those internal connections won't be affected.
{code}
iptables -t raw -I PREROUTING -s 10.10.0.0/16 -d 10.10.0.0/16 -j NOTRACK
iptables -t raw -I OUTPUT -s 10.10.0.0/16 -d 10.10.0.0/16 -j NOTRACK
{code}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tickets.musicbrainz.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Loading...