Hi Daniel,

A simpler way to deal with lcg-bdii is the following:

1) to check the iptables (and lcg-bdii) status execute:
    service iptables status
2) to shut down lcg-bdii fully execute:
    service lcg-bdii stop
    service iptables stop

If lcg-bdii runs on CE acting as permanent NAT for WNs, then don't stop (or stop it only briefly) service iptables but execute:
    service iptables restart

3) to start lcg-bdii execute:
    service lcg-bdii start

You may execute also:
    service lcg-bdii restart

4) When more than one network interface is present on host running service lcg-bdii (like a CE acting as NAT for WNs) replace the REDIRECT line in file /opt/lcg/bdii/sbin/lcg-bdii with:
    iptables -t nat -I PREROUTING 1 -p tcp --dport ${BDII_PORT_READ} -j DNAT --to-destination `host $(hostname) | awk '{print $4}'`:${BDII_PORT_READ}
Do the same in file /opt/lcg/bdii/sbin/lcg-bdii-update, use this line instead the REDIRECT line:
   system("iptables -t nat -R PREROUTING 1 -p tcp --dport $bdii_port_read -j DNAT --to-destination `host $bdii_host | awk '{print \$4}'`:$bdii_port_write");

This would be good for single network interface hosts too.

Regards,
Dan



Daniel Cano wrote:
[log in to unmask]" type="cite"> Hello,
now seems it is working. Just stopping lcg-bdii and flushing the nat rules solves the problem. But now, when trying

lcg-infosites --vo cms ce|grep ifca

there's nothing there. The same result is produced by


lcg-infosites --vo cms se|grep ifca

I have restarted MDS several times, and I don't know why the information about ifca is not there, or what service is not collecting it. If you have any idea

Thanks in advance

Dani


Dan Schrager wrote:
[log in to unmask]" type="cite"> Hi Maarten,

A sure solution - until the new version of the lcg-bdii service is released - is to run the current lcg-bdii service (top level or local) on hosts that don't perform any NAT-ing except for that controlled by the lcg-bdii service itself.
Another fix for the current lcg-bdii service would be the replacement of the PREROUTING REDIRECT target with a DNAT target (identical to the one in the OUTPUT chain, just below).

Best regards,
Dan



Maarten Litmaath, CERN wrote:
[log in to unmask]" type="cite"> 
On Wed, 1 Jun 2005, Maarten Litmaath, CERN wrote:

  
On Tue, 31 May 2005, Vega Forneris wrote:

    
Hi again Daniel,

      
lcg-bdii is running
        
what kind of element is suffering this problem? Here at ESA-ESRIN had same 
problems with our WNs which are NATted behind MasterNode/CE : I found the 
problem was related to the lcg-bdii startup and update scripts : they 
write a redirection on the CE from port 2170 to others (range 2171-2173) 
in iptables chain...to check it lauch:

$ iptables -t nat -L

Try to stop lcg-bdii service and flush all entries (save your 
configuration first of course)

$ service lcg-bdii stop
$ iptables -F

(check all rules are flushed: $ iptables -t nat -L)
      
To flush the "nat" rules, you need to do this:

    iptables -F -t nat

In any case this may not be enough: I have seen some of our nodes get into
a state where iptables did not report any rules, netstat showed port 2170
being listened on (with the BDII just restarted), yet connections were refused.
In such cases a reboot is a solution.
    

The good news: we are testing a new version of the BDII that no longer uses
iptables at all.  We expect to make it available shortly.