|
---------- Original Message ----------------------------------
From: Julian Anastasov <ja@xxxxxx>
Reply-To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Date: Wed, 17 Oct 2001 11:47:42 +0300 (EEST)
>
> Hello,
>
>On Tue, 16 Oct 2001, Timothy Webster wrote:
>
>> After some thought, lots of reading, I realized that IPVS and TCPVS are what
>> is needed to implement a load balancing firewall.
>>
>>
>> Example load balancing firewall
>>
>> |---------|--dsl1----
>> |load |
>> |balacing |--dsl2---- internet servers
>> clients ----|firewall |
>> |---------|--dsl3----
>> private net
>
> For such setup (where the LBF performs NAT for private nets)
>you can use my patch routes-2.2.19-4.diff from
>http://www.linuxvirtualserver.org/~julian/
>
> With this patch you can use the multipath feature to balance
>traffic through many gateways, even if they are reachable through one
>device. Not perfect, but works for many flows to universe.
I am using a 2.4.10 kernel. You are correct in that I plan on using LVS-NAT.
This is perfectly adequate for dsl lines and saves investment in a router. The
actual firewall i am constructing has 5 lines, 3 internet connections and 2
private connections. I plan on using TEQL between the 2 private connections.
All devices connected to the firewall in the DMZ have a similar configuration.
It would be great if we could make this work for LVS-DR in the future. The
LVS-DR is pure genious for high bandwidth requirements. "Let the fast dumb
hardware to the balancing under the LVS's direction". For the future, is there
anyway I force LVS to use an external balancing algorithm. I am thinking
intergration with zebra. Currently i am only planing on using LVS load
balancing on one side. In the future I will definately want to use LVS load
balancing in both directions.
>
>> To me this is not very different from a LVS gateway
>>
>> |---------|--server 1----
>> |load |
>> |balacing |--server 2----
>> clients ----|firewall |
>> |---------|--server 3----
>
> This is different case, you want these "server ?" to be
>gateways reachable with LVS-DR method. The gateways deliver the
>incoming traffic directly to the clients.
>
>> internet private net
>>
>>
>> - I am currently looking into what if any changes are required to enable
>> me to use the lvs gateway as part of a load balacing firewall.
>
> May be only:
>
>- Forwarding of ICMP packets from LVS
>
>- Better bypass feature (per service, using input route calls)
>
>Everything is in my TODO list but still testing is needed.
>
> To allow this to work some things are required:
>
>- route tagging - for easier marking of the packets. I.e. the fwmark
>marking is an input for the routing but this is not enough. We need
>a way LVS to learn which route is selected (the route to universe),
>because it is hard to add so many ipchains -m rules that will not
>match the traffic to directly connected targets. Then we have to add
>virtual service by such tag (similar to the fwmark services).
>
> IOW, with the current LVS versions you need something like
>this:
>
>ipchains -A input -m 1
>ip rule add prio ... fwmark 1 table 1
>ip route add local 0/0 dev lo table 1
>ipvsadm -A -f 1 ...
>ipvsadm -a -f 1 ...
>
> And the problem is that when LVS receives marked packet we
>are not sure whether this packet is locally delivered after hitting
>a route from the local table or from any other table reached with
>fwmark rule. More specific ipchains marking (synchronized with the
>routing) is needed to mark only the packets that will be relayed to
>the border gateways.
>
>> Any thoughts on this idea.
>
> Many, for example:
>
>ip route add local 0/0 dev lo rtmark 1
>ipvsadm -A -rtmark 1 ...
>
So far I have patched the 2.4.10 kernel with the ipvs 2.4.9 kernel patch.
Compiled ipvsadm.
Will be testing today and tomorrow.
-thanks for you help
--tim.
|
