Re: LVS with mark tracking

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: LVS with mark tracking
From:	Henrik Nordstrom <hno@xxxxxxxxxxx>
Date:	Thu, 15 Feb 2001 09:23:29 +0100

Julian Anastasov wrote:

>         Hello,
>
> On Wed, 14 Feb 2001, Henrik Nordstrom wrote:
>
> > Hi.
> >
> > Here is a small patch to make LVS keep the MARK, and have return traffic
> > inherit the mark.
> >
> > We use this for routing purposes on a multihomed LVS server, to have
> > return traffic routed back the same way as from where it was received.
> > What we do is that we set the mark in the iptables mangle chain
> > depending on source interface, and in the routing table use this mark to
> > have return traffic routed back in the same (opposite) direction.
> >
> > The patch also moves the priority of LVS INPUT hook back to infront of
> > iptables filter hook, this to be able to filter the traffic not picked
> > up by LVS but matchin it's service definitions. We are not
> > (yet) interested of filtering traffic to the virtual servers, but very
> > interested in filtering what traffic reaches the Linux LVS-box itself.
>
>         "We are not interested ..." :)))

And you think I care :)

> 1. ip_vs_in2 is too small:
>
> - packet defragmentation code is missing
> - who uses NFC_ALTERED ?

Netfilter. The packet is accepted by the hook but altered (mark changed).

> - protocol header length is not checked
> - related ICMP is not handled

Oops. Thanks for the feedback. Will fix these.

> 2. Some parts of the code is commented. Is this a part from the
> proposal?

This because there is a collision between the fwmark based farms and this
code. We are not using fwmark based farms so I choose to ignore those for
now.

> 3. LOCAL_IN priority change is not acceptable: this ignores some
> useful features.

I did not expect you to accept this. It is a short term solution for us,
until other measurements have been made to integrate iptables rules and ipvs
to not require a overly complex iptables ruleset in order to accept
IPVS traffic.

> Give us an example (with dummy addresses) for setup that require
> such fwmark assignments.

For a start you need a LVS setup with more than one real interface receiving
client traffic for this to be of any use. Some clients (due to routing
outside the LVS server) comes in on one interface, other clients on another
interface. In this setup you might not want to have a equally complex routing
table on the actual LVS server itself.

--
Henrik Nordstrom
SafeCore Technologies

<Prev in Thread]	Current Thread	[Next in Thread>
LVS with mark tracking, Henrik Nordstrom Re: LVS with mark tracking, Julian Anastasov Re: LVS with mark tracking, Henrik Nordstrom <= Re: LVS with mark tracking, Roberto Nibali Re: LVS with mark tracking, Henrik Nordstrom Re: LVS with mark tracking, Roberto Nibali ARP problem race condition, Kyle Sparger Re: ARP problem race condition, Julian Anastasov Re: ARP problem race condition, Joseph Mack Re: ARP problem race condition, Kyle Sparger Re: LVS with mark tracking, Henrik Nordstrom Re: LVS with mark tracking, Roberto Nibali Article about virtual server and redundant cluster., Guillaume Postaire

Previous by Date:	Re: Timeout questions, Julian Anastasov
Next by Date:	Re: LVS with mark tracking, Roberto Nibali
Previous by Thread:	Re: LVS with mark tracking, Julian Anastasov
Next by Thread:	Re: LVS with mark tracking, Roberto Nibali
Indexes:	[Date] [Thread] [Top] [All Lists]