|
Julian Anastasov wrote:
> So, we can not query for VIP:VPORT-CIP:CPORT from RIP. I don't
> see a solution. The main restriction in the DR/TUN setups where the VIPs
> are shared is: only one host can initiate connections with a shared
> address - the director in our setup. If the real servers initiate
> connections they can autoselect source ports for the IDENT requests
> that are busy in the director. May be some form of NAT in the real
> server is required that will translate the VIP to some unused valid
> RIP2 and will pass the connection to the director for masquerading.
> The trick is that only the VIP must be changed to RIP2 but preserving
> the port value. It is assumed that there are no ports used for RIP2.
> Why we send the request through the director. Because we need a valid
> free port for the VIP address and the director is the only authority
> for this port.
>
> How to change saddr=VIP to RIP2? May be with netfilter?
> May be with dumb nat? We can investigate this if the above idea is
> correct.
Seems OK to me and this is what I was wondering. If you can port forward, it
would
seem possible to IP forward. I don't know how you can NAT within
one box and I don't know how to get netfilter to change packets with
saddr=vip:high_port to rip:high_port for outbound and to do the reverse
for inbound packets.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
