On Wed, 23 Nov 2005, Joseph Mack NA3T wrote:
> On Wed, 23 Nov 2005, Graeme Fowler wrote:
> > Yes, netfilter/iptables does interact with LVS.
> > Under LVS-NAT you need to make sure that the traffic
> > exiting the director on the client side is what the client
> > expects. That means SNAT (or masquerade).
> the original implementation doesn't need any iptables rules;
> the ftp helper and the lvs code handle it all. Unless
That's exactly what I thought. But...
> there's a change in spec (intentional that no-one has made
> clear, or unintentional through bitrot), you still shouldn't
> need iptables rules.
Then aparently it is suffering from bitrot.
Most examples use only a single IP on the director and act as masguerading
box for the realservers too. In those simple setups, any connection not
properly SNATed by ip_vs will be 'fixed' by the masquerade rule
automagically... Maybee that's why not a lot of ppl notice the problem?
I'll compile a kernel with debug support and see if I can prove/disprove
any bitrot that way...
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users