|
Hello,
On Thu, 28 Feb 2002, James Treleaven wrote:
> I am confused by the LVS-HOWTO v1.12, Dec 2001. Should I be able to ping
> client machines from my realserver, when using LVS-NAT? The HOWTO seems to
The usual setups allow the real servers to ping the client
in NAT setups because there are NAT rules that usually allow this.
There are not good reasons to stop outgoing ICMP echo requests.
Of course, if one removes the NAT rules for ICMP then only the
related ICMP traffic will reach the clients because ICMP is handled
from the kernel in this way, if it is related it automatically
assumes the NAT rule applied to the master connection (TCP/UDP).
In 2.4 LVS can handle LVS-NAT without using any NAT rules. In
such case the pings don't work, only the related ICMP messages.
> say conflicting things about this.
>
> Am I correct in assuming that 'Julian's step-by-step check' below is for a
> 'test' setup, where the realservers are on the same network as the director
> and the clients? Am I further correct in assuming that once a realserver has
Yes, if we have same NAT rules for ICMP then the working
pings are a good indication that NAT works.
> answered a request from a client, that client may then be pinged from the
> realserver because that client's ip address will exist in the NAT table on
No, think for the case where any of the real servers should
be able to ping client. These ICMP echo requests are treated as
a new ICMP "connection" from the NAT code, not as a part or related to
LVS connection. These ICMP echo requests select their own path to
the client. They can even select different masquerade address
according to the routing and the NAT rules.
> the director? How can one view that NAT table?
the LVS connection table is readable from the proc fs:
less /proc/net/ip_vs_conn
> The two sections of the HOWTO that seem to conflict with each other are:
>
> [12.3 All packets from the realserver to the outside world must go through
> the director]
True, at least, the main and the related LVS traffic destined
to the clients. This is achieved usually by default or non-default (more
specific) route(s).
> ...
> 'In production you should _not_ be able to ping from the realservers to the
Note that this is not "MUST" but "SHOULD", may be this is
a security measure. It is not related to the LVS traffic and
operation.
> client. The realservers should not know about any other network than their
> own (here 10.1.1.0). The connection from the realservers to the client is
> through ipchains (for 2.2.x kernels) and LVS-NAT tables setup by the
> director.'
>
> [12.9 Julian's step-by-step check of a L4 LVS-NAT setup]
> Question 1 is: 'Can the real server ping client?'
> 'Yes' is good and 'No' is bad.
If the goal is "Yes" it is really good. One can always
apply traffic control rules to limit the different kinds of
ICMP traffic in specific limits. The Linux kernels contain such
policies by default, may be not for all ICMP packets.
> cheers,
> James
Regards
--
Julian Anastasov <ja@xxxxxx>
|
