LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: moving ipvs() to POST/PREROUTING

To: Joseph Mack NA3T <jmack@xxxxxxxx>
Subject: Re: moving ipvs() to POST/PREROUTING
Cc: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
From: Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
Date: Fri, 11 Apr 2008 22:13:32 +0900
On Friday 11 April 2008 21:37:03 JST, Joseph Mack NA3T wrote:
> On Fri, 11 Apr 2008, Jason Stubbs wrote:
> > With local node, 127.0.0.1 doesn't work but an IP address on a local
> > interface does.
>
> that will do.
>
> Local node isn't real important. It was there because it
> could be done, rather than because it was needed. If you can
> do it, we'll take it, but otherwise don't worry a whole lot
> about it.

I did look a little bit further into it. The iptables REDIRECT module maps to 
127.0.0.1 for locally generated traffic and the first IP on the first 
interface otherwise. I haven't tried yet, but the same thing could probably 
done here.

> > LVS-TUN should work as LVS-DR didn't require any direct
> > modification, but it's a little bit of a pain to set up
> > for testing at this stage.
>
> have the same physical setup as LVS-DR and just change the
> if on the realservers to tunl0 and change the
> appropriated ipvsadm lines.

Hmm.. Well seeing I'm trying getting my hands dirty every else, I may as well 
do so here too. Will give it a try on Monday.

> > Is there any problem with essentially hiding the real
> > servers from netfilter?
>
> I don't know what this means (I didn't know that netfilter
> knew about the realservers).

I mean that it'd be nice for rules to go something like:
* Allow from external to VIP
* Allow anything established
* Drop everything else

Depending on where LVS translations are placed in the netfilter path, rules 
allowing traffic from external to RIPs may also be needed. That can get 
pretty complicated, but there might be some need for it that I can't see...

> Will your setup handle the F5-SNAT situation?
>
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.non-modified_realser
>vers.html#F5_snat

Yep, this is just SNAT as far as I can tell. I tested SNAT on both sides of 
the director and there weren't any problems.

--
Jason Stubbs
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>