Hello,
On Mon, 22 Jan 2001, Horms wrote:
> I have not tested the exact kernel+ipvs combination that you have there but
> I have tested 2.4.0-test11 + ipvs-0.1.2 with LVS NAT and it does work. I
> find it highly unlikley, though not improbable that the combination you
> have is broken. I think it is much more likely that there is a
> configuration problem.
Horms, we have compatibility problems when iptable NAT or ipfw
NAT modules are used together with the ip_vs module. In the weekend I
solved this problem and now it looks like LVS can work with the netfilter's
connection tracking and NAT. There is one problem to be solved: how
to insert one function call in ip_fw_compat.c, i.e. between the ipfw
firewall (in FORWARD:0) and do_masquerade() which is in the same hook.
For the ip_conntrack+iptable_nat it is easy because they use different
priority in the chain but for the ipfw compat mode we need to patch
a separate module. We need to place ip_vs_out() call there. See the
attached patch. I made some first tests and it seems the LVS is working
with iptable_nat together. But this is a preview version. It needs
testing. But I post it here because I'm not a big netfilter user and
don't have many complex netfilter setups. If someone wants to test it
and to report the results before it is approved from Wensong I'll be
very happy. So, don't use ipchains.o with NAT rules for now. There are
two choices: only ip_vs.o or ip_vs.o with ip_conntrack/iptable_nat.
Of course, LVS is faster when no netfilter connection tracking is used.
The attached is a patch against the devel version 0.2.1 for
Linux 2.4. It is for the users that can't wait :)
> --
> Horms
Regards
--
Julian Anastasov <ja@xxxxxx>
ct-021-2.diff
Description: Connection Tracking solved? Patch against 0.2.1
|