LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] FWMARKs and persistence

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] FWMARKs and persistence
From: Fabien Duchêne <fabien.duchene@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Apr 2009 18:23:32 +0200
Hello Joe,

Thanks for your reply!

Okay for the -SH scheduler, but we have a script that dynamically change
the weight of the servers (because the are very different -hardware
speaking there-) and i think it wouldn't solve the problem (you'll see why).
It was very simple to test, a openned the LDAP port on a webserver with
a perl script (a server that just write "hello"), and then connected to
this port with a telnet client just after connecting to the web service
with my browser.
Result: i'm connected to the webserver (via the LDAP mark...).

In fact, i looked into the code, and i think that LVS can't handle
multiple fwmark + persistence services (maybe we found a bug?).

If you look in ip_vs.h (in the headers):

static inline void ip_vs_addr_copy(int af, union nf_inet_addr *dst,
                                   const union nf_inet_addr *src)
{
#ifdef CONFIG_IP_VS_IPV6
        if (af == AF_INET6)
                ipv6_addr_copy(&dst->in6, &src->in6);
        else
#endif
        dst->ip = src->ip;
}

static inline int ip_vs_addr_equal(int af, const union nf_inet_addr *a,
                                   const union nf_inet_addr *b)
{
#ifdef CONFIG_IP_VS_IPV6
        if (af == AF_INET6)
                return ipv6_addr_equal(&a->in6, &b->in6);
#endif

        return a->ip == b->ip;
}

These functions are used the check if a template already exist.
In the fwmarked template, ->ip is always 0.0.0.0 and the ->all[3] (where
the fwmark is written) isn't tested (and not copied as you can see!).
So, the first template created by a "fwmark persistent service" will
match every fwmark persistent service (ip = 0.0.0.0, it's the same for
all!).

Correct me if i'm wrong?

If it's a bug, I hope a Dev' could fix this..

Regards,

Fabien

Joseph Mack NA3T a écrit :
> On Thu, 23 Apr 2009, Fabien Duch�ne wrote:
> 
>> Hello,
>>
>> We are trying to setup a LVS load balancer for multiple services (HTTP,
>> HTTPS, LDAP, ...).
>> All these services are distributed over several servers, and they all
>> need persistence.
> 
> you could try the -SH scheduler as an alternative (not a whole lot
> different)
> 
>> They also use multiple ports, so we used fwmarks to identify the service.
> 
>> When you connect for the first time, you are sticked to a real server of
>> the service you're accessing (HTTP for eg).
> 
> correct
> 
>> The problem is that, after that, if you try to access another virtual
>> service (LDAP for instance), you get a ICMP port unreacheable, because
>> you're still sticked on the HTTP Real Server.
> 
> do you know why you get a port unreachable? I wouldn't have expected
> that. Is the realserver listening on that port? Is the connect request
> making it to the realserver?
> 
> Joe
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
> 
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
<Prev in Thread] Current Thread [Next in Thread>