|
2011/3/4 Julian Anastasov <ja@xxxxxx>:
> I now remember that IP_VS_DBG_PKT uses these
> new pr_debug macros, so you can enable the debugging by
> adding
> #define DEBUG
> as first line in net/netfilter/ipvs/ip_vs_proto.c
> then recompile and we can see how the packets look.
> We must be sure that the right traffic reaches LOCAL_OUT.
Hi,
Since I reboot srv2 (which was OK), the SNAT rule don't work any more !
I'm going to try the same with srv1 '(which was KO), perhaps it's his
turn to SNAT now ?
First, I add some trace to iptables :
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 389 -j LOG
--log-prefix "nat/PREROUTING : "
iptables -t nat -I POSTROUTING -m ipvs --vaddr 10.1.1.254 -j LOG
--log-prefix "ipvs/POSTROUTING : "
iptables -t nat -I POSTROUTING -p tcp -m tcp --dport 389 -j LOG
--log-prefix "nat/POSTROUTING : "
iptables -t nat -I INPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix
"nat/INPUT : "
iptables -t nat -I OUTPUT -p tcp -m tcp --dport 389 -j LOG
--log-prefix "nat/OUTPUT : "
iptables -I INPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix
"filter/INPUT : "
iptables -I FORWARD -p tcp -m tcp --dport 389 -j LOG --log-prefix
"filter/FORWARD : "
iptables -I OUTPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix
"filter/OUTPUT : "
Then generate some kernel traces with a ldapsearch request from client :
echo 99 > /proc/sys/net/ipv4/vs/debug_level
...
Mar 7 15:13:12 srv2 kernel: nat/PREROUTING : IN=virbr1 OUT=
MAC=fe:54:10:01:01:01:52:54:10:01:01:31:08:00 SRC=10.1.1.31
DST=10.1.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP
SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 7 15:13:12 srv2 kernel: filter/INPUT : IN=virbr1 OUT=
MAC=fe:54:10:01:01:01:52:54:10:01:01:31:08:00 SRC=10.1.1.31
DST=10.1.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP
SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 7 15:13:12 srv2 kernel: nat/INPUT : IN=virbr1 OUT=
MAC=fe:54:10:01:01:01:52:54:10:01:01:31:08:00 SRC=10.1.1.31
DST=10.1.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP
SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 7 15:13:12 srv2 kernel: IPVS: lookup/in TCP
10.1.1.31:43100->10.1.1.254:389 not hit
Mar 7 15:13:12 srv2 kernel: IPVS: lookup/out TCP
10.1.1.31:43100->10.1.1.254:389 not hit
Mar 7 15:13:12 srv2 kernel: IPVS: lookup service: fwm 0 TCP 10.1.1.254:389 hit
Mar 7 15:13:12 srv2 kernel: IPVS: ip_vs_wlc_schedule(): Scheduling...
Mar 7 15:13:12 srv2 kernel: IPVS: WLC: server 10.1.12.11:389
activeconns 0 refcnt 1 weight 100 overhead 0
Mar 7 15:13:12 srv2 kernel: IPVS: Bind-dest TCP c:10.1.1.31:43100
v:10.1.1.254:389 d:10.1.12.11:389 fwd:M s:0 conn->flags:100
conn->refcnt:1 dest->refcnt:2
Mar 7 15:13:12 srv2 kernel: IPVS: Schedule fwd:M c:10.1.1.31:43100
v:10.1.1.254:389 d:10.1.12.11:389 conn->flags:140 conn->refcnt:2
Mar 7 15:13:12 srv2 kernel: IPVS: Incoming packet: TCP
10.1.1.31:43100->10.1.1.254:389
Mar 7 15:13:12 srv2 kernel: IPVS: TCP input [S...]
10.1.12.11:389->10.1.1.31:43100 state: NONE->SYN_RECV conn->refcnt:2
Mar 7 15:13:12 srv2 kernel: IPVS: Enter: ip_vs_nat_xmit,
net/netfilter/ipvs/ip_vs_xmit.c line 394
Mar 7 15:13:12 srv2 kernel: IPVS: After DNAT: TCP
10.1.1.31:43100->10.1.12.11:389
Mar 7 15:13:12 srv2 kernel: filter/OUTPUT : IN= OUT=tun12
SRC=10.1.1.31 DST=10.1.12.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700
DF PROTO=TCP SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 7 15:13:12 srv2 kernel: IPVS: Leave: ip_vs_nat_xmit,
net/netfilter/ipvs/ip_vs_xmit.c line 448
...
So, iptables is traversal by packets but POSTROUTING seems to be skipped...
What shall I do, to make iptables SNAT "always" reached ?!
Thx for any suggestion.
--
Ivan
Listen http://youkounkoun-radio.com !
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
