Re: [PATCH 0/6] move ipvs to PRE/POSTROUTING

To:	Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
Subject:	Re: [PATCH 0/6] move ipvs to PRE/POSTROUTING
Cc:	LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
From:	Joseph Mack NA3T <jmack@xxxxxxxx>
Date:	Tue, 15 Apr 2008 04:49:42 -0700 (PDT)

On Tue, 15 Apr 2008, Jason Stubbs wrote:

I'm a newbie at all of this so forgive me if I'm doing anything wrong. ;)


you're doing great.

incoming => de-lvs packets => netfilter => lvs packets => outgoing

The goal is for netfilter to only have to deal with CIP/VIP packets and
for any translations netfilter might do of CIP to be transparent to LVS.

can you give me an example of a translation of the CIP (Ican't think of anything, presumably the F5-SNAT will be donein outgoing).

There are three main downfalls with this patch at present:
1) Having a VIP on a local interface

I thought with the hooks in the new place that there'd be noVIP on the director anymore. The director would be acting asa router for dst_addr=VIP. Presumbly routing would handlesending packets for the VIP to the director (eg the directorwould proxy arp for the VIP).

Are you talking about a case where the director ismisconfigured?

  causes the traffic to be delivered
  locally as VIP checks have been moved to the end of POST_ROUTING.
2) Localnode with address of 127.0.0.1 does not work as packets with a
  destination of 127.0.0.1 and a non-local source address are
  unconditionally dropped.
3) Firewall rules on existing installations will most likely break.


no problem. This is a new setup and will have new rules.

The first issue can probably be dealt with by Thelocalnode issue could probably be dealt with by using ahook at the end of PREROUTING and the second issue couldbe handled like ipt_REDIRECT.

I thought with netfilter, that REDIRECT delivers a packetthat now has the wrong address for LVS.

I can't see a way to handle firewall rules though

you haven't figured it out yet, or you've looked and thereis no way of having firewall rules?


Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, (continued) Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, Jason Stubbs Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, Jason Stubbs Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, Jason Stubbs Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, Julian Anastasov Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, Jason Stubbs Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING, Julian Anastasov [PATCH 3/6] move ipvs to PRE/POSTROUTING, Jason Stubbs [PATCH 4/6] move ipvs to PRE/POSTROUTING, Jason Stubbs [PATCH 5/6] move ipvs to PRE/POSTROUTING, Jason Stubbs [PATCH 6/6] move ipvs to PRE/POSTROUTING, Jason Stubbs Re: [PATCH 0/6] move ipvs to PRE/POSTROUTING, Joseph Mack NA3T <= Re: [PATCH 0/6] move ipvs to PRE/POSTROUTING, Jason Stubbs

Previous by Date:	Re: moving ipvs() to POST/PREROUTING, Jason Stubbs
Next by Date:	Re: [PATCH 0/6] move ipvs to PRE/POSTROUTING, Jason Stubbs
Previous by Thread:	[PATCH 6/6] move ipvs to PRE/POSTROUTING, Jason Stubbs
Next by Thread:	Re: [PATCH 0/6] move ipvs to PRE/POSTROUTING, Jason Stubbs
Indexes:	[Date] [Thread] [Top] [All Lists]