On Mon, 10 Jan 2000, Lars Marowsky-Bree wrote:
> Yes. The LVS box silently drops the return packets, since they have a src ip
> which is also bound as a local interface on the LVS. This is meant to be a
> simple anti-spoofing protection.
>
> You can enable logging these packets via
> echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
>
> The only way around this with current Linux kernels is to disable the check in
> the kernel source or to use a separate box as the outward gateway. (Which is
> how DR is meant to be used for full performance)
It needs to be made more explicit in the documentation that LVS-DR will
*only* work if you have a different return path. We spent several man
days trying to get this to work before figuring out why the packets were
being dropped, at which point we had no alternative but to use LVS-NAT
instead.
FYI, we have our LVS system working now, with LVS redundancy achieved by
running OSPF routing (gated) on the LVS-NAT servers and having the VIP
within the same IP subnet as the RIPs so that IGP routing policies
automatically determine which LVS router the packets arrive on.
Ray.
--
Ray Bellis, MA(Oxon) - Technical Director - community internet plc
Windsor House, 12 High Street, Kidlington, Oxford, OX5 2PJ
tel: +44 1865 856000 email: ray.bellis@xxxxxxxxxxxxxxxx
fax: +44 1865 856001 web: http://www.community.net.uk/
----------------------------------------------------------------------
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For additional commands, e-mail: lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx
|