LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Confused noobie problem

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Confused noobie problem
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Tue, 25 Nov 2003 00:44:55 +0100
Hi,

Yeah, that is mostly what I meant.  I am not using LVS for my firewall, I just 
wanted to use
netfilter on this box to lock it down.  I shouldnt need to do that though, so I 
dont think
that I want to mess with this patch right now.  I think that Ill try the 
IProute2 way, just
because I think it is idealogically superior.

It is superiour in all aspects ;).

Wait, before I go trudging off into iproute2
land, let me ask this.  If I go the iproute2/keepalived route then will I be 
able to use
Netfilter without any kernel patches? That is the whole idea right?

Yes, the iproute2 framework doesn't conflict with netfilter or at least not to the point you will be exploiting it the next couple of months until you start doing nasty policy routing tricks which throw netfilter out of its concept :).

Is iproute2 as easy to set up as the eth0:185 syntax?

no it's a nightmare, which is why people are still using the alias style of 
setting up IPs

http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.policy_routing.html

Joe, there are some issues with the text:

o the basic problem with route/netstat -rn is, that they only see the
  main table, which is rather limited.

o iproute2 very well knows the notion of ip aliases by using labels just
  like ifconfig. It's not up to the tool to decide if labels work or
  not. The misconception people have with ip aliasing is that people
  think an aliased interface is a logically separated interface while
  it is _not_. And this is the case since 2.1.128 or so.

o ipchains doesn't recognize alias neither because since the _2.2.x_
  kernel we moved to the iproute2 architecture, not in the 2.4.x as
  the howto lists. Packet filtering on aliased stopped working after
  the decay of ipfwadm in the old 2.0.x kernel days. Today you can
  still filter on so-called ip aliased but as the name implies you
  specify the IP ADDRESSS as a classifier and if you want to restrict
  it you add the underlying _physical_ interface definition to the
  classifying rule.

o iproute2 is compatible with ifconfig/route/netstat but not vice versa.
  The two biggest issues people new to iproute2 have to struggle with
  are:

  + if you add secondary ip addresses without a label (alias interface)
    ifconfig is confused and doesn't print the information

  + if you add rules for branching into different routing tables than
    the main routing table, route or netstat -rn will not show you those
    routes. This also the case for blackhole, throw, unreachable and
    prohibit routes.

Ahh..  Well, I like a good scary nightmare every now and again.  That is why I 
learned VI
after all!

Vi(m) is not scary at all, it's extremely straightforward and built for ease-of-use :)

Thanks again for all the advice and pointers, I would still be scratching my head if I didnt have help like this. Maybe I can even contribute to this project in some way. I
actually like writing documentation, maybe I could help out with that once I 
understand
it more.  Of course I would have to have you all look it over, but that is 
obvious.

If you guys are interested I'll offer my first semi-official release of some of the replacement tools I've written for ifconfig/route. You can download them from (just uploaded):

http://www.drugphish.ch/~ratz/iproute2/

HTH and best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

<Prev in Thread] Current Thread [Next in Thread>