LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: moving ipvs() to POST/PREROUTING

To: Jason Stubbs <jasonbstubbs@xxxxxxxxx>
Subject: Re: moving ipvs() to POST/PREROUTING
Cc: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Fri, 11 Apr 2008 09:14:08 -0700 (PDT)
On Sat, 12 Apr 2008, Jason Stubbs wrote:

I would hope people don't do this. RIPs should be private,
for security reasons and to preserve the fiction that the
LVS setup is one machine.

This is precisely why I chose the hooks that I did. My intention was for the
netfilter chains to only ever see the VIP, but packets with the RIP are going
through too after IP_VS_XMIT is called.

hmm. still don't know what you're referring to then. Is this LVS-NAT, LVS-DR...?

netfilter sees the source and dest on the packets. How can netfilter only see the VIP?

see
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree

sounds like you have the same problem with what I'm saying.

I didn't quite follow this. Are you referring to services such as FTP?

no. this webpage shows why clients shouldn't know about the RIP and what you can do to make sure they don't find out about it.

Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>