i wrote a very simple patch for ipvs that enables a kernel config option that allows to choose where IPVS intercepts incoming connections. These are the options:
- LOCAL_IN (default: works as usual)
- PRE_ROUTING (puts LVS input right after the mangle PREROUTING and before the nat PREROUTING chain)

neat. I thought it was hard enough to move that it wouldn't be just an option :-)

By selecting the PRE_ROUTING option transparent proxying is possible (i've tried in DR and NAT mode), because packets are sent to real servers before NAT, this way the realserver can do a DNAT/REDIRECT etc. to send the packets to the proxy application. This also works for the localnode, because packets go thru the PREROUTING after LVS, and ther could be DNATed/REDIRECTed.


what we'd really like is ipvs hooked into the FORWARD chain. Can you do this too?

I tried it on some test boxes and it seems to work pretty well, i'll do some stress testing in the next few days. I could send you a setup example if you like...

yes please

