Re: [PATCH] Transparent proxy support for LVS with localnode and realser

To: Raphael Vallazza <raphael@xxxxxxxxxx>
Subject: Re: [PATCH] Transparent proxy support for LVS with localnode and realservers (WORKING) (fwd)
Cc: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Thu, 10 Jan 2008 09:00:15 -0800 (PST)
On Thu, 10 Jan 2008, Raphael Vallazza wrote:

o there will not be a VIP on the director. Presumably the director will advertise any VIPs.

Work, with the PREROUTING method.

sorry don't understand. Are you saying that there won't be a VIP on the director with ipvs in PREROUTING either? (in which case I'm happy)

o all filtering/fwmarks/NAT/firewalling that normally happens on ingress/egress will not collide with ipvs.

Right, with the PREROUTING only fwmarks are set, filtering and NAT happens after ipvs.

it would be nice not to have to handle the ipvs packets with a separate set of rules or thinking.

hmm, what's the NAT problem with having ipvs in the FORWARD chain? (or have I missed your point?)

For transparent proxying there has to be a DNAT/REDIRECT to the local machine, if the director/localnode applies the DNAT/REDIRECT rule it only works on the localnode. The realservers get already NATed packets, and replies have the wrong destination ports set.

you seem to be more interested in transparent proxy and localnode than most other people on the ml so maybe you have a different interest in it.

I regard transparent proxy only as a way of avoiding having the VIP on the director (perhaps it has other virtues I've ignored), which was pretty neat at the time and I was sorry we lost that capability with 2.4.x kernels. With ipvs no longer in LOCAL_IN, you don't have a requirement for the VIP anymore and presumably you wouldn't need transparent proxy either.

People rarely use localnode. I wouldn't miss it if it didn't exist. Do you want it for other reasons (eg sorry server)? If for a sorry server, could we invoke something like Julian's iproute2 trick that's currently being used to emulate transparent proxy?

Yes, you're right. FORWARD could be interesting if the localnode feature isn't required, but it wouldn't solve the transparent proxy problem with localnode + realservers. Well if i add a choice for a FORWARD method the user could choose...

what's the localnode + realserver problem with transparent proxy?

The only negative thing is that traffic can't be filtered in a regular way,

it would be nice to avoid the collisions with firewall rules that we have now.

Yes, but i can't find a good solution for that if used together with transparent proxying, the only one i've found was the PREROUTING one, any thoughts?


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>