LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Ipvsadm and netfilter

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Ipvsadm and netfilter
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Tue, 28 Sep 2004 13:16:32 +0200
Hello,

According to LVS how-to, chapter 17.2, the path of an incoming packet
should be:

PREROUTING -> LOCAL_IN -> POSTROUTING

But from what I can see, the path is more like

PREROUTING -> LOCAL_IN -> LOCAL_OUT -> POSTROUTING

I think the documentation is correct, but I would need to check the code first.

The context;
The director is connected on the LAN, 10.64.0.0/24, on its eth1 interface.
Behind it, the real servers are on 192.168.76.2 on a 802.1q tagged
vlan 3 and connected to the redirector on its eth0.3 interface.

So we have 10.64.0.0/24--->(VIP)eth1|LVS|eth0(DIP)--->192.168.76.0/24

10.64.0.16 is configured as an alias on the eth1 interface of the
redirector, and the ssh port of this address is redirected to the ssh port
of 192.168.76.2:

Ipvsadm rules:
-A -t 10.64.0.16:ssh -s rr
-a -t 10.64.0.16:ssh -r 192.168.76.2:ssh -m -w 1

Ok.

Iptables rules: Default policy fro all chains: ACCEPT

For all tables? How do you have LVS-NAT working then?

-A INPUT -d 10.64.0.16 -i eth1 -j LOG --log-prefix "INPUT ipvsadm
" --log-level 6 -A OUTPUT -o eth0.+ -j LOG --log-prefix "OUTPUT ipvsadm " --log-level 6

For future make that '... -o eth0 ...' since no interface with the name eth0.+ exists (yes, I know what regex patterns are). To be completely sure of how your packets traverse the netfilter stack without reading the source code, I would add a LOG rule for all chains of the filter and nat table.

If from the 10.64.0.0/24 lan I ssh to 10.64.0.16 packets go through the
OUTPUT chain as you can see in my log:

OUTPUT ipvsadm IN= OUT=eth0.3 SRC=10.64.0.81 DST=192.168.76.2 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=3850 DF PROTO=TCP SPT=49851 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
OUTPUT ipvsadm IN= OUT=eth0.3 SRC=10.64.0.81 DST=192.168.76.2 LEN=52
TOS=0x00 PREC=0x00 TTL=64 ID=3851 DF PROTO=TCP SPT=49851 DPT=22
WINDOW=5840 RES=0x00 ACK URGP=0
OUTPUT ipvsadm IN= OUT=eth0.3 SRC=10.64.0.81 DST=192.168.76.2 LEN=52
TOS=0x00 PREC=0x00 TTL=64 ID=3852 DF PROTO=TCP SPT=49851 DPT=22
WINDOW=5840 RES=0x00 ACK URGP=0

Looks rather normal.

If I connect from another lan not directly connected to the director,
the packets go through INPUT and OUTPUT.

INPUT ipvsadm IN=eth1 OUT= MAC=00:0a:5e:3d:82:0f:00:e0:1e:7f:98:61:08:00
SRC=A.B.C.D DST=10.64.0.16 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55012
DF PROTO=TCP SPT=49852 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
OUTPUT ipvsadm IN= OUT=eth0.3 SRC=A.B.C.D DST=192.168.76.2 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=55012 DF PROTO=TCP SPT=49852 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
INPUT ipvsadm IN=eth1 OUT= MAC=00:0a:5e:3d:82:0f:00:e0:1e:7f:98:61:08:00
SRC=200.9.208.76 DST=A.B.C.D LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55013
DF PROTO=TCP SPT=49852 DPT=22 WINDOW=5840 RES=0x00 ACK URGP=0
OUTPUT ipvsadm IN= OUT=eth0.3 SRC=A.B.C.D DST=192.168.76.2 LEN=52
TOS=0x00 PREC=0x00 TTL=63 ID=55013 DF PROTO=TCP SPT=49852 DPT=22
WINDOW=5840 RES=0x00 ACK URGP=0

:) Indeed, confusing. I don't know what's up with your setup but try my suggestion of adding a LOG statement for those tables and chains and no IP and try it again. It should be clear.

HTH and best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Ipvsadm and netfilter, Roberto Nibali <=