LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH ipvs-next] ipvs: add sysctl to ignore tunneled packets

To: Julian Anastasov <ja@xxxxxx>
Subject: Re: [PATCH ipvs-next] ipvs: add sysctl to ignore tunneled packets
Cc: Alex Gartrell <agartrell@xxxxxx>, Simon Horman <horms@xxxxxxxxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, kernel-team <kernel-team@xxxxxx>
From: Alex Gartrell <alexgartrell@xxxxxxxxx>
Date: Sat, 12 Sep 2015 02:09:47 -0700
On Fri, Sep 11, 2015 at 12:24 PM, Julian Anastasov <ja@xxxxxx> wrote:
>         We can use "ipvs" here. I remember people used
> matching by src MAC to solve such problem for DR. For TUN
> fwmark or match by input device can work too. In all cases,
> a fwmark-based service is needed...

Yeha, to be honest, this approach isn't my ideal.  We've had a much
nastier version of this patch (that adds a field to skbuff...) for a
long time, and this was just a less awful way of doing this.

The problem for us is that moving the whole of our load balancing to
fwmark-based pools is a giant nightmare.  On top of the obvious stuff
(redeploying the userspace element to our load balancers), we'd also
need to find a way to prevent conflict between that and our firewalls.
It was more engineering than I had time for, sadly.

Other ideas I had to address this:
* Add some mechanism wherein certain fwmark's are ignored
* Add an iptables target that sets ipvs_property=1

I'm also totally open to ideas

cheers,
-- 
Alex Gartrell <agartrell@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>