|
This is my first post to the list, I use ipvsadm for a staging/preproduction
environments at my work. What a cool package!
I began using the FW Mark to create groupings for virtual servers, and I
noticed a problem with port translation. Here's the environment:
Linux 2.4.2 / IPVS 0.2.5 / ipvsadm 1.15 / IPTables 1.2
First I made a IPTables entry:
iptables -t mangle -A PREROUTING -d 10.1.2.25 -p tcp --dport 443 -j MARK
--set-mark 25
then the corresponding ipvs entry:
ipvsadm -A -f 25 -p -s rr
ipvsadm -a -f 25 -r s11-vpn:448 -m
ipvsadm -a -f 25 -r s26-vpn:448 -m
As you can see it translates from port 448 <-> 443. With persistance turned
off, it works exactly as expected. With persistance on, it does not translate
the port - ie it hits the real servers on port 443 instead of 448. There are
not conflicting rules BTW. Is this a bug or am I overlooking something?
The reason I am using 2.4.2/iptables/IPVS 0.2.5 BTW is because with ipchains
and ipvs-1.0.3 I could not use the DNAT target to ssh into my real servers.
I made a ipvsadm port 22 target (persistant) to them, but even when I set
the persistant timeout to an ungodly huge number the connections still timed
out and froze the ssh connection in a matter of minutes.
Rob
|
