|
Hello,
On Wed, 14 Feb 2001, Henrik Nordstrom wrote:
> Hi.
>
> Here is a small patch to make LVS keep the MARK, and have return traffic
> inherit the mark.
>
> We use this for routing purposes on a multihomed LVS server, to have
> return traffic routed back the same way as from where it was received.
> What we do is that we set the mark in the iptables mangle chain
> depending on source interface, and in the routing table use this mark to
> have return traffic routed back in the same (opposite) direction.
>
> The patch also moves the priority of LVS INPUT hook back to infront of
> iptables filter hook, this to be able to filter the traffic not picked
> up by LVS but matchin it's service definitions. We are not
> (yet) interested of filtering traffic to the virtual servers, but very
> interested in filtering what traffic reaches the Linux LVS-box itself.
"We are not interested ..." :)))
1. ip_vs_in2 is too small:
- packet defragmentation code is missing
- who uses NFC_ALTERED ?
- protocol header length is not checked
- related ICMP is not handled
2. Some parts of the code is commented. Is this a part from the
proposal?
3. LOCAL_IN priority change is not acceptable: this ignores some
useful features.
Give us an example (with dummy addresses) for setup that require
such fwmark assignments.
> Regards
> Henrik Nordstrom
> SafeCore Technologies
Regards
--
Julian Anastasov <ja@xxxxxx>
|
