LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: network granularity with persistent fwmark

To: Joseph Mack <mack.joseph@xxxxxxx>
Subject: Re: network granularity with persistent fwmark
Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, <mack@xxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Sat, 14 Apr 2001 00:40:21 +0000 (GMT)
        Hello Joe,

On Fri, 13 Apr 2001, Joseph Mack wrote:

> > > how about your persistent-patch, which I've been working with?
>
> I just tested it.
>
> iptables puts fwmark=1 on any packet with
>
> -d = IP on a NIC on outside of the director
>
> and
>
> --dport telnet
>
> ipvsadm forwards by VS-DR any packets with fwmark=1
>
> 2 clients, both in the same network as the outside
> of the director.
>
> Clients also have a second NIC for receiving packets
> back from real-servers.
>
> With the default persistence granularity  (/32), each client
> connects to different real-servers (but each client
> goes to the same real-server each time).
>
> With the persistence granularity =/24 both clients connect to
> the same real-server (ie any number of connections from the
> two clients all come to one real-server).
>
> I assume the persistence granularity is associated with the IP
> on the outside of the director.

        Yes, but it is associated with the client address. The sequence
is this:

- packet comes from CIP to VIP1

- fw marking, optional

- lookup for existing connection CIP:CPORT->VIP1:VPORT, if yes => forward,
if not found:

- lookup service => fwmark 1, persistent

- try to select real service in context of the virtual service

        Apply the persistence granularity to the client address
        CIPNET = CIP & svc->netmask

        Now lookup for template
        1a) not patched: check for existing template CIPNET:0, VIP1:0
        1b) patched: check for existing template CIPNET:0, 1(fwmark):0

        if there is template, bind the new connection to the template's
        destination

        if there is no existing template, get one destination using
        the scheduler and bind it to the newly created template and
        the new connection. The created template is

        1a) CIPNET:0, VIP1:0, DEST_RIP:0
        1a) CIPNET:0, 1(fwmark):0, DEST_RIP:0

- forward the packet

> Having persistence granularity with a VIP makes sense.
>
> However with fwmarks it makes no sense to me (what is fwmark/24?).
> What if the iptables rules are a crazy mix of targets
> (networks, hosts, ports with no IP as for a transparent web cache)?

        No, don't apply the granularity to the fwmark, it is applied
to the source address in the out->in packets, the client address.

> Persistence granularity was designed for people coming in from
> large proxy servers (eg AOL). With fwmarks, this can be handled
> by iptables rules.

        Yes, the fact that we group the clients using this netmask
is not related to the virtual service type: normal or fwmark-based.

> Is there a function for persistence granularity with fwmark?

        I don't understand well this question

> If you take the default persistence granularity, you
> get the behaviour I expect.

        Yes, each different IP is treated as different client. When
a netmask < 32 is used, the group of addresses is treated as one
client when applying the persistence rules. This is not related to
the packet marking and virtual service type.

> (hope the easter bunny visits you on Sunday. we have the easter bilby
> http://members.ozemail.com.au/~bilbies/Easter_Bilby.htm where I come from)

        :))) Very interesting :)

> Joe


Regards

--
Julian Anastasov <ja@xxxxxx>



<Prev in Thread] Current Thread [Next in Thread>