Hello Joe,
On Tue, 10 Apr 2001, Joseph Mack wrote:
> > The patched LVS:
> >
> > 10.1.2.0:0 -> FWMARK:0 -> RIP:0
>
> so if I did
>
> iptables -s 10.1.2.3 -m 1
> ipvsadm -A -f 1 -s rr -p 600 -M 255.255.255.0
>
> only packets from 10.1.2.3 will have a fwmark on them,
> but the director would forward all packets from
> 10.1.2.0/24, even those without fwmarks?
The patched LVS will accept only the marked packets for this
fwmark service, from the same /24 client subnet. If only one client IP
sends packets that are marked then the real service will receive packets
only from 10.1.2.3. The current LVS versions don't consider the
service and all packets CIPNET -> VIP will be forwarded using the
first created template for CIPNET:0->VIP:0, i.e. these packets will
randomly hit one of the many services that accept packets for the
same VIP (just like in your setup) and then may be a wrong real server.
> Joe
>
> --
> Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
> contractor to the National Environmental Supercomputer Center,
> mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
Regards
--
Julian Anastasov <ja@xxxxxx>
|