Re: [PATCH] Transparent proxy support for LVS with localnode and realser

To: Joseph Mack NA3T <jmack@xxxxxxxx>
Subject: Re: [PATCH] Transparent proxy support for LVS with localnode and realservers (WORKING) (fwd)
Cc: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
From: Raphael Vallazza <raphael@xxxxxxxxxx>
Date: Thu, 10 Jan 2008 16:15:19 +0100
what we'd really like is ipvs hooked into the FORWARD chain. Can you do this too?
To be honest i don't understand the reason for hooking LVS into the FORWARD chain,

Horms would be a better person to speak about this. The general idea is to have the director be a router

o there will not be a VIP on the director. Presumably the director will advertise any VIPs.

Work, with the PREROUTING method.

o all filtering/fwmarks/NAT/firewalling that normally happens on ingress/egress will not collide with ipvs.

Right, with the PREROUTING only fwmarks are set, filtering and NAT happens after ipvs.

hmm, what's the NAT problem with having ipvs in the FORWARD chain? (or have I missed your point?)

For transparent proxying there has to be a DNAT/REDIRECT to the local machine, if the director/localnode applies the DNAT/REDIRECT rule it only works on the localnode. The realservers get already NATed packets, and replies have the wrong destination ports set.

Maybe i'm missing something, but it seems that PREROUTING is the best point for LVS to act like a real router, because it gets packets that haven't been NATed yet.

A while ago Horms move ipvs to PREROUTING and then decided it was the wrong place and it would be better in the FORWARD chain.

We'll change our minds if we're wrong.

If there are problems and advantages in special cases for FORWARD and PREROUTING, then perhaps we need both versions.

Yes, you're right. FORWARD could be interesting if the localnode feature isn't required, but it wouldn't solve the transparent proxy problem with localnode + realservers. Well if i add a choice for a FORWARD method the user could choose...

The only negative thing is that traffic can't be filtered in a regular way,

it would be nice to avoid the collisions with firewall rules that we have now.

Yes, but i can't find a good solution for that if used together with transparent proxying, the only one i've found was the PREROUTING one, any thoughts?



:: e n d i a n
:: open source - open minds

:: raphael vallazza
:: phone +39 0471 631763  :: fax +39 0471 631764
::  :: raphael (AT)

To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>