Fix the 10 minutes delay at first run (fix #1)!
This commit is contained in:
parent
74b864e2cb
commit
72551575df
|
@ -13,6 +13,7 @@
|
||||||
using a loop via squash_actions is deprecated.
|
using a loop via squash_actions is deprecated.
|
||||||
* Turn nft_old_pkg_list into a list.
|
* Turn nft_old_pkg_list into a list.
|
||||||
* Add libiptc0 (iptables dependency) to the list of old package to remove.
|
* Add libiptc0 (iptables dependency) to the list of old package to remove.
|
||||||
|
* The 10 minutes delay at first run (#1)!
|
||||||
|
|
||||||
## v1.5.0
|
## v1.5.0
|
||||||
|
|
||||||
|
|
|
@ -266,12 +266,7 @@ nft_input_group_rules:
|
||||||
|
|
||||||
## Known Issue
|
## Known Issue
|
||||||
|
|
||||||
* The first run of a playbook may be long (~8 minutes) just after the (re)start of `nftables` service.
|
* The 10 minutes delay at the first run is finally fixed by allowing the host to reset SSH connection (flags `rst, psh | ack`) (see #1).
|
||||||
* Probably due to Ansible/OpenSSH Specific default Settings, the outgoing connections for Ansible/SSH will be blocked :
|
|
||||||
```
|
|
||||||
trace id d7c3a8dc inet filter output packet: oif "ens18" ip saddr REMOTE_HOST ip daddr MY_HOST ip dscp 0x02 ip ecn not-ect ip ttl 64 ip id 56799 ip length 420 tcp sport ssh tcp dport 53922 tcp flags == 0x18 tcp window 1452
|
|
||||||
```
|
|
||||||
* This only happen at the first run on new clean host. The next runs will works without any delay.
|
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
|
|
|
@ -315,6 +315,8 @@ nft_output_default_rules:
|
||||||
- udp dport @out_udp_accept ct state new accept
|
- udp dport @out_udp_accept ct state new accept
|
||||||
210 output tcp accepted:
|
210 output tcp accepted:
|
||||||
- tcp dport @out_tcp_accept ct state new accept
|
- tcp dport @out_tcp_accept ct state new accept
|
||||||
|
250 reset-ssh: # allow the host to reset SSH connections to avoid 10 min delay from Ansible controller
|
||||||
|
- tcp sport ssh tcp flags { rst, psh | ack } counter accept
|
||||||
# ]]]
|
# ]]]
|
||||||
# .. envvar:: nft_output_rules [[[
|
# .. envvar:: nft_output_rules [[[
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in New Issue