LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: icmp-redirects, hung connection, tcpdump

To: Joseph Mack <mack@xxxxxxxxxxx>
Subject: Re: icmp-redirects, hung connection, tcpdump
Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, "Justin M. Mahoney" <justin@xxxxxxxxxxxxxxxxxxxx>, <michael_e_brown@xxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Fri, 12 Jan 2001 20:41:19 +0000 (GMT)
        Hello,

On Fri, 12 Jan 2001, Joseph Mack wrote:

>
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
> echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
> echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
>
> >     Your RS ARPs for 192.168.1.3 because the LVS box redirects it
> > to this address. The HOWTO is not correct.
>
> My understanding was that icmp redirects were handled with LVS for 2.2.12.
> I take it that this is not correct. The redirects are not handled and
> the director needs these three lines when configuring VS-NAT for all
> kernels.

        The redirects are handled in net/ipv4/route.c:ip_route_input_slow(),
i.e. from the routing and before reaching LVS (in LOCAL_IN):

        if (out_dev == in_dev && err && !(flags&(RTCF_NAT|RTCF_MASQ)) &&
            (IN_DEV_SHARED_MEDIA(out_dev)
             || inet_addr_onlink(out_dev, saddr, FIB_RES_GW(res))))
                flags |= RTCF_DOREDIRECT;

        Here RTCF_NAT && RTCF_MASQ are flags used from the dumb nat code
but the masquerading defined with ipchains -j MASQ does not set such
or some of these flags. The result: the redirect is sent according to
the conf/{all,<device>}/send_redirects from ip_rt_send_redirect() and
ip_forward() from net/ipv4/ip_forward.c. So, the meaning is: if we are
going to forward packet and the in_dev is same as out_dev we redirect
the sender to the directly connected destination which is on the same
shared media. The ipchains code in the FORWARD chain is reached too late
to avoid sending these redirects. They are already sent when the -j MASQ
is detected.

>
> Do I have it now?

        Yes, if all/send_redirects is 1 every <device>/send_redirects
is ignored. So, if we leave it 1 redirects are sent. To stop them we
need all=0 && <device>=0. default/send_redirects is the value that will
be inherited from each new interface that is created.

        The logical operation between conf/all/<var> and
conf/<device>/<var> is different for each var. The used operation is
specified in /usr/src/linux/include/linux/inetdevice.h

        For send_redirects it is '||'. For others, for example for
conf/{all,<device>}/hidden), it is '&&'

So, for the two logical operations we have:

For &&:

all     <dev>   result
------------------------------
0       0       0
0       1       0
1       0       0
1       1       1

For ||:

all     <dev>   result
------------------------------
0       0       0
0       1       1
1       0       1
1       1       1


        When a new interface is created we have two choices:

1. to set conf/default/<var> to the value that we want each new
created interface to inherit

2. to create the interface in this way:

ifconfig eth0 0.0.0.0 up

and then to set the value before assigning the address:
echo <val> > conf/eth0/<var>
ifconfig eth0 192.168.0.1 up

but this is risky especially for the tunnel devices, for example, if
you want to play with var rp_filter.

        For the other devices this is a safe method if there is no
problem with the default value before assigning the IP address. The
first method can be the safest one but you have to be very careful.

> Joe
>
> --
> Joseph Mack mack@xxxxxxxxxxx


Regards

--
Julian Anastasov <ja@xxxxxx>



<Prev in Thread] Current Thread [Next in Thread>