We did an upgrade of our CLUSTERIP based load-balanced DNS servers, and it started spewing the message "CLUSTERIP: no conntrack error". It took some digging, but I eventually tracked it down. To fix it you need to insert a rule with "-m state --state INVALID -j DROP".

The message is an indication that a packet that doesn't match an existing conntrack connection is received. So, just add a DROP rule.

comments powered by Disqus