|
Hello,
On Wed, 8 Aug 2001, Jake Garver wrote:
> Summary: I'm trying to set up LVS-DR using fwmarks, but the catch is that my
> director is also the real servers' default gateway. When I try to access
> the virtual service, my traffic gets marked, but is then routed out the
> director's default gateway. LVS doesn't seem to be grabbing the packet and
> sending it off to a real server.
>
...
> Details: I'm running LVS-0.8.1 on linux-2.4.6.
> We have an existing firewall/router between our servers, internal clients,
> and the internet. I'm trying to add LVS to this box and start load
> balancing over our existing servers. I chose LVS-DR instead of LVS-NAT just
> for efficiency and because I wasn't affected by any of DR's downsides.
> Originally, I tried DR with the VIP on the director's lo:0, but ran into the
> martian problem. I then read about fwmark. As I understand it, fwmark
> promises to work around the martion problem and provide greater flexibility
> when grouping services. So I configured LVS for fwmark and got stuck. A
This is not true. fwmark can be used for two (known) purposes:
- as a routing key (if you use it in your ip rules)
- as a higher-layer key (if you use it in your ipvs rules, for example)
You can't avoid the source spoofing checks by using fwmarks
or at least I don't know for such trick.
But you can try forward_shared-2.4.5-1.diff from
http://www.linuxvirtualserver.org/~julian/
You need just to:
echo 1 > /proc/sys/net/ipv4/conf/all/forward_shared
echo 1 > /proc/sys/net/ipv4/conf/eth3/forward_shared
By this way you allow packets with shared address (VIP) to
be forwarded when they come from eth3 (the real servers). You have to
be sure that this device is not connected to the same hub as your
external (non-trusted) devices or at least to filter in your ISP the
spoofed packets coming from the world or to set rp_filter to 1.
> eth1 is connnected to the internet, eth3 to the real server network, and
> eth0 to the clients.
...
> I have been digging through the FAQ and code and I'm left even more confused
> by two "facts":
> 1. fwmark does not require the VIP to be configured on an interface on the
> director (but its still on the real servers).
Yes, there are many ways to deliver locally traffic in the
director. The common one is to configure the IP address used from
clients.
> 2. LVS hooks into netfilter at LOCAL_IN.
>
> These two facts seem to contradict. If LVS is to see the packet, it must be
> routed to the local machine. How can it be routed to the local machine if
> the local machine doesn't contain the VIP?
Via routing rules:
ip route add VIPs/24 via LVSBOX dev internal_ISP_device
> Where am I mistaken?
You can route traffic to gateways. This is the way your packets
hit the other end of the world. The routers forward the traffic for
addresses that are not local. Every box can receive packets for non-local
addresses. Then there are many methods to treat this traffic as locally
destined: ipchains -j REDIRECT, ip route add table XXX local 0/0 dev lo,
etc.
> Thanks in advance for your help,
> Jake Garver
Regards
--
Julian Anastasov <ja@xxxxxx>
|
