Re: moving ipvs() to POST/PREROUTING

To:	Joseph Mack NA3T <jmack@xxxxxxxx>
Subject:	Re: moving ipvs() to POST/PREROUTING
Cc:	LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
From:	Jason Stubbs <jasonbstubbs@xxxxxxxxx>
Date:	Sat, 12 Apr 2008 09:06:09 +0900

On Saturday 12 April 2008 01:14:08 JST, Joseph Mack NA3T wrote:
> On Sat, 12 Apr 2008, Jason Stubbs wrote:
> >> I would hope people don't do this. RIPs should be private,
> >> for security reasons and to preserve the fiction that the
> >> LVS setup is one machine.
> >
> > This is precisely why I chose the hooks that I did. My intention was for
> > the netfilter chains to only ever see the VIP, but packets with the RIP
> > are going through too after IP_VS_XMIT is called.
>
> hmm. still don't know what you're referring to then. Is this
> LVS-NAT, LVS-DR...?
>
> netfilter sees the source and dest on the packets. How can
> netfilter only see the VIP?

Current LVS-NAT goes something like:
PREROUTING  client => VIP
LOCAL_IN    client => VIP
    LVS in hook
LOCAL_OUT   client => RIP
POSTROUTING client => RIP

With my patch it goes like:
PREROUTING  client => VIP
FORWARD     client => VIP
POSTROUTING client => VIP
    LVS hook
POSTROUTING client => RIP

LVS-DR is pretty much the same flow except that the packet's MAC destination 
is changed instead. What I mean with netfilter only seeing the VIP is that 
I'd like the second POSTROUTING run that happens with my patch to not happen. 
Doing so makes rule writing on the director a little easier as the rules 
don't need to know about the RIPs at all.

The configuration I'm planning to use is a LVS-NAT director/firewall that 
allows external traffic to VIPs, SNATs traffic from RIPs to external 
(including to VIPs) and drops everything else.

With LVS-DR, I am pretty sure that all the issues mentioned in the page you 
linked to still apply as my patch only changes the flow through the director. 
The rules mentioned in the following link would be needed whether the 
SERVER_GW is separate device to the director or not.

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.non-lvs_clients_on_realservers.html#3-tier_routes

-- 
Jason Stubbs
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread]	Current Thread	[Next in Thread>
moving ipvs() to POST/PREROUTING, Jason Stubbs Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T Re: moving ipvs() to POST/PREROUTING, Jason Stubbs Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T Re: moving ipvs() to POST/PREROUTING, Jason Stubbs Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T Re: moving ipvs() to POST/PREROUTING, Jason Stubbs <= Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T Re: moving ipvs() to POST/PREROUTING, Julian Anastasov Re: moving ipvs() to POST/PREROUTING, Jason Stubbs Re: moving ipvs() to POST/PREROUTING, Jason Stubbs Re: moving ipvs() to POST/PREROUTING, Julian Anastasov Re: moving ipvs() to POST/PREROUTING, Jason Stubbs

Previous by Date:	Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T
Next by Date:	Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T
Previous by Thread:	Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T
Next by Thread:	Re: moving ipvs() to POST/PREROUTING, Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]