LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Experiencing problems with IPVS 0.2.5 / 2.4.2

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Experiencing problems with IPVS 0.2.5 / 2.4.2
Cc: Gargamel Jonez <robzr@xxxxxxxx>
From: Wensong Zhang <wensong@xxxxxxxxxxxx>
Date: Thu, 22 Mar 2001 19:08:00 +0800 (CST)
Hi,

On Thu, 22 Mar 2001, Julian Anastasov wrote:

>
>       Hello,
>
> On Wed, 21 Mar 2001, Gargamel Jonez wrote:
>
> > This is my first post to the list, I use ipvsadm for a staging/preproduction
> > environments at my work.  What a cool package!
> >
> > I began using the FW Mark to create groupings for virtual servers, and I
> > noticed a problem with port translation.  Here's the environment:
> >
> > Linux 2.4.2 / IPVS 0.2.5 / ipvsadm 1.15 / IPTables 1.2
> >
> > First I made a IPTables entry:
> >
> > iptables -t mangle -A PREROUTING -d 10.1.2.25 -p tcp --dport 443 -j MARK 
> > --set-mark 25
> >
> > then the corresponding ipvs entry:
> >
> > ipvsadm -A -f 25 -p -s rr
> > ipvsadm -a -f 25 -r s11-vpn:448 -m
> > ipvsadm -a -f 25 -r s26-vpn:448 -m
> >
> > As you can see it translates from port 448 <-> 443.  With persistance turned
> > off, it works exactly as expected.  With persistance on, it does not 
> > translate
> > the port - ie it hits the real servers on port 443 instead of 448.  There 
> > are
> > not conflicting rules BTW. Is this a bug or am I overlooking something?
>
>       Bug. The patch against 0.2.5/0.2.6 is attached. Please test!
>

The fwmark-based virtual service usually assumes that the port number(s)
of real services is equal to the port number(s) of virtual service,
because one fwmark virtual service may group many load balanced services.
For example, we can mark dport 22, 80 and 443 as the value 25, then we
should direct packets to those ports at the real servers respectively, if
we direct the packets marked with 25 to port 448, there will be problems.

Since it is out of control of ipvsadm how many ports users specify to mark
in a single marking-value, we cannot add more checking in ipvsadm program.
Anyway, I should document this fwmark-based service assumption.

For the above example, the port number of real service is different to
that of virtual service, it is good to use normal virtual service, like
        ipvsadm -A -t 10.1.2.25:443 -p -s rr
        ipvsadm -a -t 10.1.2.25:443 -r s11-vpn:448 -m
        ipvsadm -a -t 10.1.2.25:443 -r s26-vpn:448 -m

Thanks,

Wensong


> > The reason I am using 2.4.2/iptables/IPVS 0.2.5 BTW is because with ipchains
> > and ipvs-1.0.3 I could not use the DNAT target to ssh into my real servers.
> > I made a ipvsadm port 22 target (persistant) to them, but even when I set
> > the persistant timeout to an ungodly huge number the connections still timed
> > out and froze the ssh connection in a matter of minutes.
> >
> > Rob
>
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
>




<Prev in Thread] Current Thread [Next in Thread>