On Tue, 15 Apr 2008, Jason Stubbs wrote:
I'm a newbie at all of this so forgive me if I'm doing anything wrong. ;)
you're doing great.
incoming => de-lvs packets => netfilter => lvs packets => outgoing
The goal is for netfilter to only have to deal with CIP/VIP packets and
for any translations netfilter might do of CIP to be transparent to LVS.
can you give me an example of a translation of the CIP (I
can't think of anything, presumably the F5-SNAT will be done
in outgoing).
There are three main downfalls with this patch at present:
1) Having a VIP on a local interface
I thought with the hooks in the new place that there'd be no
VIP on the director anymore. The director would be acting as
a router for dst_addr=VIP. Presumbly routing would handle
sending packets for the VIP to the director (eg the director
would proxy arp for the VIP).
Are you talking about a case where the director is
misconfigured?
causes the traffic to be delivered
locally as VIP checks have been moved to the end of POST_ROUTING.
2) Localnode with address of 127.0.0.1 does not work as packets with a
destination of 127.0.0.1 and a non-local source address are
unconditionally dropped.
3) Firewall rules on existing installations will most likely break.
no problem. This is a new setup and will have new rules.
The first issue can probably be dealt with by The
localnode issue could probably be dealt with by using a
hook at the end of PREROUTING and the second issue could
be handled like ipt_REDIRECT.
I thought with netfilter, that REDIRECT delivers a packet
that now has the wrong address for LVS.
I can't see a way to handle firewall rules though
you haven't figured it out yet, or you've looked and there
is no way of having firewall rules?
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|