[ClusterLabs] Clustered LVM with iptables issue

Digimer lists at alteeve.ca
Thu Sep 10 22:49:33 UTC 2015 

On 10/09/15 06:31 PM, Noel Kuntze wrote:
> 
> Hello Digimer,
> 
> Pro tip: look at the 'multiport' module. You can substantially reduce the number of rules with it.
> Right now, I'm scratching my eyes out.
> You can use `ss` or `netstat` to find out where clmvd wants to phone to. That might be
> an additional lead. Or use tcpdump.
> But please, tidy up your rules.

The rules are as terse as I thought I could make them.

ss shows no difference:

====
[root at node1 ~]# /etc/init.d/clvmd start
Starting clvmd:
Activating VG(s):                                          [  OK  ]
[root at node1 ~]# ss
State      Recv-Q Send-Q                     Local Address:Port
                Peer Address:Port
ESTAB      0      0                         192.168.122.10:ssh
               192.168.122.1:53935
ESTAB      0      0                         192.168.122.10:ssh
               192.168.122.1:53934
ESTAB      0      0                             10.10.10.1:48985
                  10.10.10.2:7788
ESTAB      0      0                             10.10.10.1:7788
                  10.10.10.2:51681
ESTAB      0      0                      ::ffff:10.20.10.1:16851
           ::ffff:10.20.10.2:43553
[root at node1 ~]# /etc/init.d/clvmd stop
Signaling clvmd to exit                                    [  OK  ]
clvmd terminated                                           [  OK  ]
[root at node1 ~]# ss
State      Recv-Q Send-Q                     Local Address:Port
                Peer Address:Port
ESTAB      0      0                         192.168.122.10:ssh
               192.168.122.1:53935
ESTAB      0      0                         192.168.122.10:ssh
               192.168.122.1:53934
ESTAB      0      0                             10.10.10.1:48985
                  10.10.10.2:7788
ESTAB      0      0                             10.10.10.1:7788
                  10.10.10.2:51681
ESTAB      0      0                      ::ffff:10.20.10.1:16851
           ::ffff:10.20.10.2:43553
[root at node1 ~]# netcat
====

netstat had a lot more output, so I pushed the output to files and
diff'ed them:

====
[root at node1 ~]# netstat > 1
[root at node1 ~]# /etc/init.d/clvmd start
Starting clvmd:
Activating VG(s):                                          [  OK  ]
[root at node1 ~]# netstat > 2
[root at node1 ~]# diff -U0 1 2
--- 1	2015-09-10 22:46:31.275000003 +0000
+++ 2	2015-09-10 22:46:51.044000011 +0000
@@ -7,0 +8,2 @@
+sctp       0      0 node1.bcn:21064             node2.bcn:21064
     ESTABLISHED
+                    node1.sn                    node2.sn

@@ -12 +14,6 @@
-unix  15     [ ]         DGRAM                    12986  /dev/log
+unix  16     [ ]         DGRAM                    12986  /dev/log
+unix  2      [ ]         DGRAM                    23743
+unix  3      [ ]         STREAM     CONNECTED     23689  @corosync.ipc
+unix  3      [ ]         STREAM     CONNECTED     23688
+unix  3      [ ]         STREAM     CONNECTED     23685
/var/run/cman_client
+unix  3      [ ]         STREAM     CONNECTED     23684
====

I'm not familiar with netstat, so I'll need to read up to understand the
differences and how to translate them to iptables rules.

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?

More information about the Users mailing list