LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING

To: LVS Devel <lvs-devel@xxxxxxxxxxxxxxx>
Subject: Re: [PATCH 2/6] move ipvs to PRE/POSTROUTING
From: Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
Date: Fri, 18 Apr 2008 17:26:09 +0900
On Friday 18 April 2008 16:14:29 Julian Anastasov wrote:
>       Hello,
>
> On Thu, 17 Apr 2008, Jason Stubbs wrote:
> > On further investigation, the behaviour is the same regardless of whether
> > it is a VIP or a real host. When a SYN_SENT state exists traffic doesn't
> > flow. However, if there is no state and an ACK (no SYN) packet arrives,
> > an ESTABLISHED entry is created such as:
>
>       This conntrack does not look good, dst=192.168.1.3 in
> original direction is RIP instead of VIP.

That is because this testing was done by accessing the host's IP directly.

> > After this the connection can complete normally. I wonder if this is not
> > a bug in conntrack handling? It doesn't seem right to me.
>
>       loose flag has different prurpose:
>
> /* If it is set to zero, we disable picking up already established
>    connections. */
> static int nf_ct_tcp_loose __read_mostly = 1;

This is what I was testing. I wasn't aware of the flag until just a couple of 
hours ago. With outgoing packets leaving via a different gateway and 
connection tracking enabled and --state NEW rules in place, the following 
happens:

1. client sends SYN
2. director sets up SYN_SENT state and forwards SYN
3. server receives SYN
4. server sends SYN/ACK via other gateway
5. client receives SYN/ACK and sends ACK
6. director sees SYN_SENT entry without a SYN/ACK and blocks ACK
(4-6 are repeated a few times as server assumes the SYN/ACK got lost)
7. SYN_SENT entry times out and is deleted on the director
8. server sends SYN/ACK via other gateway
9. client receives SYN/ACK and sends ACK
10. director assumes an active connection and creates an ESTABLISHED entry
11. traffic flows fine until the end of the connection

Not being aware of the tcp_loose setting, steps 8-11 were confusing to me 
which is why I was testing direct access to the server. Behaviour with a VIP 
is the same.

Conntrack entries with both LVS-NAT and LVS-DR (when the director is also the 
return gateway) look like this:

ipv4     2 tcp      6 431996 ESTABLISHED src=192.168.0.104 dst=192.168.0.7 
sport=35235 dport=80 packets=3 bytes=176 src=192.168.0.7 dst=192.168.0.104 
sport=80 dport=35235 packets=1 bytes=60 [ASSURED] mark=0 use=1

iptables rules are:

# iptables -A FORWARD -p tcp -d 192.168.0.7 --dport 80 \
                      -m state --state NEW -j ACCEPT
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -P FORWARD DROP

-- 
Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
LINKTHINK INC.
東京都渋谷区桜ヶ丘町22-14 N.E.S S棟 3F
TEL 03-5728-4772  FAX 03-5728-4773
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>