Re: Active ftp w/ lvs NAT broken?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Active ftp w/ lvs NAT broken?
From: Mark de Vries <markdv.lvsuser@xxxxxxxxxx>
Date: Thu, 24 Nov 2005 07:12:31 +0100 (CET)
On Wed, 23 Nov 2005, Joseph Mack NA3T wrote:

> On Wed, 23 Nov 2005, Graeme Fowler wrote:
> > Yes, netfilter/iptables does interact with LVS.
> >
> > Under LVS-NAT you need to make sure that the traffic
> > exiting the director on the client side is what the client
> > expects. That means SNAT (or masquerade).
> the original implementation doesn't need any iptables rules;
> the ftp helper and the lvs code handle it all. Unless

That's exactly what I thought. But...

> there's a change in spec (intentional that no-one has made
> clear, or unintentional through bitrot), you still shouldn't
> need iptables rules.

Then aparently it is suffering from bitrot.

Most examples use only a single IP on the director and act as masguerading
box for the realservers too. In those simple setups, any connection not
properly SNATed by ip_vs will be 'fixed' by the masquerade rule
automagically... Maybee that's why not a lot of ppl notice the problem?

I'll compile a kernel with debug support and see if I can prove/disprove
any bitrot that way...


> Joe
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at
> Homepage It's GNU/Linux!
> _______________________________________________
> mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to


<Prev in Thread] Current Thread [Next in Thread>