|
Julian Anastasov wrote:
>
I need to clarify some nomenclature here.
In an LVS, which direction is the masquerading,
the inward or outward direction?
what's the other direction called? reverse masquerading?
> > Does LVS fiddle with the ipchains tables to do this?
>
> No, ipchains only delivers packets to the masquerading code.
> Nobody is interested how the packets are selected in the ipchains
> rule.
OK something else determines what happens to the packet.
>
> How the things work:
>
> - the masquerading address is assigned when the first packet is seen
>
> - LVS sees the first packet in the LOCAL_IN chain when it comes from
> the client. LVS assigns the VIP as maddr
OK
> - the MASQ code sees the first packet in the FORWARD chain when
> there is a -j MASQ target in the ipchains rule.
> The routing selects the maddr.
this is the outward going packet right?
this is for LVS or a machine behind a regular NAT box or both?
>If the connection already exists the packets are masqueraded.
what about a machine behind a NAT box initiating a telnet session?
Doesn't its first outward packet (the telnet connect request) have to be
masqueraded?
> - the LVS can see packets in the FORWARD chain but they are for already
> created connections, so no maddr is assigned and the packets are
> masqueraded with the address saved in the connections structure (the
> VIP) when it was created.
OK
from the earlier posting
>
> How one can select specific source addresses for the
> masquerading:
>
> ip route add 10.0.0.0/24 brd + dev eth0 via uplink1 src SRCIP1
> ip route add 10.0.1.0/24 brd + dev eth0 via uplink2 src SRCIP2
>
> Source routing can't be used to select the maddr for the
> connections initiated from the internal hosts. It will be ignored.
I don't understand this last statement. You look like you're showing
an example which depends on the src IP, but then you say the source
will be ignored.
> In this example, the SRCIP1 and SRCIP2 will be selected
> according to the destination. This is for connections initiated from
> the internal servers. LVS always assigns VIP as maddr.
eth0 has SRCIP1 and SRCIP2 on it (presumably one is an alias?)
> So, the rule when using masquerading with many addresses
> is to setup correctly the source addresses for each route. The
> default value is usually the first interface address:
thanks
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
