LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: ip_masq_ftp in not in kernel in 2.2.19

from [Julian Anastasov] [Permanent Link]
To: Wenzhuo Zhang <wenzhuo@xxxxxxxxxx>
Subject: Re: ip_masq_ftp in not in kernel in 2.2.19
Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Tue, 1 May 2001 22:06:16 +0000 (GMT) 
        Hello,

On Tue, 1 May 2001, Wenzhuo Zhang wrote:

> >     If the real server sends packets with saddr=VIP they can't go
> > through the director.
>
> The passive addresses as specified in the ftp server configurations
> only appear in the packet payload. The ftp client gets the server

        Hm, yes, this is different.

> address and port for passive data connections by sending the "PASV"
> commend to the server in the control connection.
>
> >
> > > >         So, the question remains open: is active ftp working for
> > > > LVS-NAT without the in_ports option.
> > >
> > > what is in_ports?
> >
> >     The 2.2.19 way to open ports for FTP port forwarding including
> > LVS-NAT FTP. The only place where I see any info is in the sources.
> >
> > > By default, most of the browsers
> > > > use the passive option and may be this problem is not observed.
> > >
> > > I got active (command line) ftp to work without the ftp module
> >
> >     LVS-NAT?
>
> As for as masquerading is concerned, the module is only needed for
> PORT data connections from outside, I think. But for virtual services,
> PORT connections are initiated from within the internal network. So it

        The LVS clients can use active FTP too. In this case the PORT
command comes from the external side.

> works without the module and the director masqurades the data packets
> as usual.

        Yes, there is a reason ip_masq_ftp to exist for the plain
masquerading case but LVS-NAT requires the same module because
ip_masq_ftp.c:masq_ftp_in must catch the client's packets for the
active FTP sessions:

PORT 10,0,0,1,4,1
LIST

        By this way the FTP module creates the data connection.
This is for active FTP, LVS-NAT to port 21 (non-persistent). So,
I'm not sure how active FTP works for LVS with ip_masq_ftp without the
in_ports option. I'm not talking about the masquerading case where
the "ports" options takes place but for the "in_ports" option.

> For passive connections, there will be two connection from each
> client: one control connection and one intermittent data connection.
> The client gets the IP address port by sending a "PASV" command in the
> control connection. So configuring the ftpserver to use VIP as the
> passive address is crucial. Also, since there will be intermittent
> data connections with different dest ports from the client,
> persistency is required.

        Yes, the persistence solves the collisions.

Regards

--
Julian Anastasov <ja@xxxxxx>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Removing Real Servers from the cluster, Joseph Mack
Next by Date:  Can I use FOS with DNS servers, Ken Dent
Previous by Thread:  Re: ip_masq_ftp in not in kernel in 2.2.19, Wenzhuo Zhang
Next by Thread:  Re: ip_masq_ftp in not in kernel in 2.2.19, Wenzhuo Zhang
Indexes:  [Date] [Thread] [Top] [All Lists]