[lvs-users] Current best way to allow POSTROUTING with LVS-NAT?

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	[lvs-users] Current best way to allow POSTROUTING with LVS-NAT?
From:	Nate Carlson <lvs@xxxxxxxxxxxxxxx>
Date:	Thu, 10 Jan 2008 15:04:10 -0600 (CST)

It's been a couple years (since 2.4 kernels) since I've used LVS. I'm 
setting it up now, using Debian's ldirectord and heartbeat-2 packages on a 
2.6.18 kernel (under Xen.)

I'm in a situation where I want the real servers to be able to access the 
external IP, and be balanced back to whichever RS's are up for that pool. 
Here's an example of my config:

LVS Node:
Ext IP/VIP (eth0):      192.168.0.5
Int IP (eth1):          172.16.254.254
Gw IP:                  192.168.0.254

Real Servers:
Int IP (RIP):   172.16.254.1-5
Gw IP:          172.16.254.254

Let's say I'm balancing port 80 on the VIP to the RIP's.

I'd like to be able to hit the 192.168.0.5 address from any node in 
172.16.254.0/24. For an example, let's say I'm hitting 192.168.0.5 from 
172.16.254.1. The packets look like:

Step 1: 172.16.254.1:1024 -> 192.168.0.5:25
   ..packet comes in on eth1 of the LVS node, and then is sent back out to
   the SMTP server on eth1, like:
Step 2: 172.16.254.1:1024 -> 172.16.254.2:25
   ..then 172.16.254.2 does the logical thing, and responds to the source:
Step 3: 172.16.254.2:25 -> 172.16.254.1:1024

..unfortunately, 172.16.254.1 is expecting the response from 192.168.0.5, 
so rejects the packet from 172.16.254.2. This is, of course, because the 
packet doesn't go back through the LVS server and get re-written back to 
the proper IP.

With LVS on 2.4, there was a set of patches I was able to run that would 
allow me to add an iptables rule to the LVS box similar to:

iptables -t nat -I POSTROUTING -i eth1 -p tcp -m tcp \
        -s 172.16.254.0/24 -d 172.16.254.1/32 --dport 25 \
        -j SNAT --to-source 172.16.254.254

What this would do is make the traffic in Step #2 (above) go back to the 
director, so the flow instead would look like:

Step 1: 172.16.254.1:1024 -> 192.168.0.5:25
Step 2: 172.16.254.254:1024 -> 172.16.254.2:25
Step 3: 192.168.0.5:25 -> 172.16.254.1:1024

..which would work.

Of course, on 2.6.18, this doesn't work per default, because I don't have 
the set of patches that allows POSTROUTING to catch packets that have 
already been handled by IPVS. Does anyone happen to have a set of patches 
that will allow something similar for 2.6.18?

I know I can switch to LVS-DR and get similar results, but I really prefer 
LVS-NAT for lots of reasons.

Appreciate any advice!

------------------------------------------------------------------------
| nate carlson | natecars@xxxxxxxxxxxxxxx | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] Current best way to allow POSTROUTING with LVS-NAT?, Nate Carlson <= Re: [lvs-users] Current best way to allow POSTROUTING with LVS-NAT?, Joseph Mack NA3T

Previous by Date:	Re: [lvs-users] help with ipvsadm and setting weight, Graeme Fowler
Next by Date:	Re: [lvs-users] ldirectord seemingly locked, Kelly Corbin
Previous by Thread:	[lvs-users] help with ipvsadm and setting weight, Randy Paries
Next by Thread:	Re: [lvs-users] Current best way to allow POSTROUTING with LVS-NAT?, Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]