RE: Netfilter connection tracking support for IPVS

To: "'Julian Anastasov'" <ja@xxxxxx>
Subject: RE: Netfilter connection tracking support for IPVS
Cc: "' users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: "Nicklas Bondesson" <nicklas.bondesson@xxxxxxxxxxxx>
Date: Sat, 24 Feb 2007 15:37:44 +0100
>       Aha, I see why you are using snat_reroute. But I want 
> to note the following things:
> - you need to set snat_reroute only if you have ip rules with 
> source address where packets from VIP1 and VIP2 don't go to 
> same nexthop.
> If you have only one possible gateway then the kernel has 
> already attached this GW to the packet at routing time, so 
> there is no need to waste CPU to try to reroute it somewhere 
> else by VIP if there is no other alternative gateway.
> - you don't need iptables SNAT rules to SNAT traffic because 
> netfilter will not reroute it. Netfilter simply does not bind 
> to nexthop for NAT connections. Also, you can not expect IPVS 
> packets to reach netfilter in POST_ROUTING, the SNAT rule 
> will not see them.
> > I'm not sure if i'm beeing clear here, but in simple words: 
> the same 
> > public ip address that the client uses to connect to the 
> LVS should be 
> > used as source ip in the response to the client.
> > 
> > I have multiple public ip addresses that i need to source nat.
>       ok, but what do you see, what is the real problem? 
> Packets are dropped and don't reach uplink router or they are 
> not routed properly when you have 2 or more uplinks? Do you 
> have source-based IP rules?
> > The firewall is on the same box as the director.
> > 
> > Any pointers?
> > 
> > 
> > Thanks,
> > Nicklas
> Regards
> --
> Julian Anastasov <ja@xxxxxx>

Thanks Julian for all your valuable information.

The real problem is that no matter what VIP the client is accessing they
always get the same ip source address. This is what I'm trying to solve.


<Prev in Thread] Current Thread [Next in Thread>