Re: moving ipvs() to POST/PREROUTING

To: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
Subject: Re: moving ipvs() to POST/PREROUTING
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Fri, 11 Apr 2008 07:38:30 -0700 (PDT)
On Fri, 11 Apr 2008, Jason Stubbs wrote:

Is there any problem with essentially hiding the real
servers from netfilter?

I don't know what this means (I didn't know that netfilter
knew about the realservers).

I mean that it'd be nice for rules to go something like:
* Allow from external to VIP
* Allow anything established
* Drop everything else

Depending on where LVS translations are placed in the netfilter path, rules
allowing traffic from external to RIPs may also be needed.

I would hope people don't do this. RIPs should be private, for security reasons and to preserve the fiction that the LVS setup is one machine. The LVS'ed application running on the realserver might start a client process that needs to contact 0/0, but that can be nat'ed out, possibly through the VIP on the director, or maybe some other public IP available to the realserver. Is this what you want to do?


Will your setup handle the F5-SNAT situation?

Yep, this is just SNAT as far as I can tell. I tested SNAT on both sides of
the director and there weren't any problems.

neato. Some people will be very happy about this.

I take it that you're working late at night on this :-)


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

<Prev in Thread] Current Thread [Next in Thread>