|
On Sat, 7 Apr 2001, Julian Anastasov wrote:
>
> Hello Joe,
>
> On Fri, 6 Apr 2001, Joseph Mack wrote:
>
> > > With this patch applyed the template is changed only to the
> > ^^^^
> > > fwmark-based services.
> >
> > you say "only" here, like the template is only going to use fwmarks
>
> "only for", sorry.
ah
>
> We have such persistence templates:
>
> CIP:* -> VIP:VPORT -> RIP:RPORT VIP:VPORT service
> CIP:* -> VIP:0 -> RIP:* VIP:0 (catch-all) service
>
> FWMARK
> Now:
> CIP:* -> VIP:0 -> RIP:*
> After the patch:
> CIP:* -> FWMARK:0 -> RIP:*
OK
> > Then we have both kinds of templates in the
> > > connection table. And they don't collide.
> >
> > here you say there are both kinds of templates in the connection table.
> >
> > Can you clarify this for me?
>
> The templates are Proto,CIP,CPORT,VIP,VPORT,RIP,RPORT entry.
>
> VIP:VPORT and FWMARK used as Virtual Service key:
>
> 1. *** -> VIP:VPORT -> ***
> 2. *** -> FWMARK:0 -> ***
>
> > But this feature uses the
> > > fact the 0.0.0.0/8 network is not used and the fwmarks are in the
> > > range of 1 - 2^24-1.
>
> Ops, my mistake, 0.0.0.0/4. And the FWMARK templates can't
> collide with the normal because they are created with proto IP, the
> normal are created with proto UDP/TCP. So, any FWMARK values can be
> used.
OK
> > I don't understand what this is about. You are using some coding trick
> > here that I don't need to know about? Can I use -d 0.0.0.0/0 for a target
> > in the iptables rules (eg if a real-server is a transparent web cache,
> > where I would be using an iptables rule of --dport 80 in the director,
> > so that the director would forward any http packets)?
>
> Yes, you can use any addresses.
OK
> > If the fwmark is not in this range these templates
> > > can collide with the normal VIP templates.
> >
> > you are saying that the templates don't collide now.
> > What if I deliberately setup a VIP rule and an
> > ipchains/fwmarks rule that both accept the same connection?
> > (presumably someone will do this, without realising
> > what they have done)
>
> The fwmark-based service will accept it.
I tried telnet by both fwmark and VIP at the same time. The
VIP got the connection
> > > > Are people expecting the original behaviour now
> > > > or are they not aware of the choices?
> > >
> > > I assume nobody tried such setups. May be only Ted Pavlic?
but it wouldn't have worked even for him using the current code?
> > These problems aren't obvious to me. Can you explain this some more?
>
> Currently, when the first packet comes for persistent fwmark
> service the kernel creates template CIP:0,VIP:0,RIP:0. But if you have
> two fwmark-based virtual services that use same virtual IP and the
> client accesses these two persistent fwmark services, the kernel will
> create only one template for this client host. Then when the next packet
> comes the lookup finds the template (for the service which created it).
> The lookup looks for CIP:0, VIP:0, any RIP and any RPORT. This lookup
> can match any template created for this CIP to our VIP. And in our
> case instead of two different, we create only one template. So, all
> packets from the client go to the real server of the first added
> template with same CIP and VIP. The problem is that the two fwmark
> services use same VIP and the traffic can be forwarded to the wrong
> fwmark service. With this patch we want the two services to create
> two different templates when they use same VIPs:
>
> CIP:0,FWMARK_A:0,RIP_A_1
> CIP:0,FWMARK_B:0,RIP_B_1
OK this is what I think I want, let me think about it some more.
Joe
--
Joseph Mack mack@xxxxxxxxxxx
|
