On Friday 11 April 2008 21:37:03 JST, Joseph Mack NA3T wrote:
> On Fri, 11 Apr 2008, Jason Stubbs wrote:
> > With local node, 127.0.0.1 doesn't work but an IP address on a local
> > interface does.
> that will do.
> Local node isn't real important. It was there because it
> could be done, rather than because it was needed. If you can
> do it, we'll take it, but otherwise don't worry a whole lot
> about it.
I did look a little bit further into it. The iptables REDIRECT module maps to
127.0.0.1 for locally generated traffic and the first IP on the first
interface otherwise. I haven't tried yet, but the same thing could probably
> > LVS-TUN should work as LVS-DR didn't require any direct
> > modification, but it's a little bit of a pain to set up
> > for testing at this stage.
> have the same physical setup as LVS-DR and just change the
> if on the realservers to tunl0 and change the
> appropriated ipvsadm lines.
Hmm.. Well seeing I'm trying getting my hands dirty every else, I may as well
do so here too. Will give it a try on Monday.
> > Is there any problem with essentially hiding the real
> > servers from netfilter?
> I don't know what this means (I didn't know that netfilter
> knew about the realservers).
I mean that it'd be nice for rules to go something like:
* Allow from external to VIP
* Allow anything established
* Drop everything else
Depending on where LVS translations are placed in the netfilter path, rules
allowing traffic from external to RIPs may also be needed. That can get
pretty complicated, but there might be some need for it that I can't see...
> Will your setup handle the F5-SNAT situation?
Yep, this is just SNAT as far as I can tell. I tested SNAT on both sides of
the director and there weren't any problems.
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html