|
On Thu, Nov 05, 2009 at 05:27:00PM +0100, Ondrej.Rajmon@xxxxxxx wrote:
> Hello,
> maybe my question is generally about a Linux network subsystem but
> nevertheless, it is related to LVS. My systems are RHEL5 and I have
> configured a load balancer-LVS (LB) and 2 real servers (RS1, RS2) with
> Apache. I use DR configuration described in RedHat documentation, so the
> VIP is configured just on LB. The real servers have just their real IPs
> configured and an acceptance of balanced packets is accomplished by an
> iptables rule with target REDIRECT:
>
> iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport 80 -j REDIRECT
>
> When connecting clients are external hosts, it works well. But when the
> client is on one of that real servers, it works just partialy. For example:
>
> - a client on RS1 connects to VIP -> LB redirects it to RS2 => it
> works fine
>
> - a client on RS1 connects to VIP -> LB redirects it to RS1 => it
> doesn't work
>
> When RS1 connects to itself thru VIP, TCP connection is not established.
> Using tcpdump I can see that the SYN packet leaves an RS1's interface and
> immediately arrives back as it's redirected by LB. So it looks well and
> correctly. But when watching NAT-prerouting table, the packet doesn't
> appear there. It seems as the packet get lost somewhere between an input
> interface and the prerouting hook. I don't understand ... Can anybody
> explain that behaviour?
>
> I know this is not the standard usage of the LVS and I have read HOWTO -
> LVS clients on Realservers. But the HOWTO discusses different model,
> where real servers have configured VIP on there interfaces so the solved
> problems are different. What I want is to understand what happens in the
> system.
Hi,
as I understand it generally real-servers connecting to a LVS-DR
virtual-services of which it is a member is thought to not work.
Though your approach of using iptables does seem to get quite
close to something that works. I wonder if the problem that you are
seeing is that the real-server is rejecting the packet received from
the director as a martian (that is, a packet from itself). There
are some martian controls in /proc, perhaps you could experiment with
these?
I also wonder if a different approach could work. Assuming that
the connection from the real-server doesn't need to be load-balanced,
I wonder if an iptables rule could be constructed such that
the real-server just directly connects to itself when accessing the VIP.
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
