Hello,
On Tue, 16 Oct 2001, Timothy Webster wrote:
> After some thought, lots of reading, I released that IPVS and TCPVS are what
> is needed to implement a load balancing firewall.
>
>
> Example load balancing firewall
>
> |---------|--dsl1----
> |load |
> |balacing |--dsl2---- internet servers
> clients ----|firewall |
> |---------|--dsl3----
> private net
For such setup (where the LBF performs NAT for private nets)
you can use my patch routes-2.2.19-4.diff from
http://www.linuxvirtualserver.org/~julian/
With this patch you can use the multipath feature to balance
traffic through many gateways, even if they are reachable through one
device. Not perfect, but works for many flows to universe.
> To me this is not very different from a LVS gateway
>
> |---------|--server 1----
> |load |
> |balacing |--server 2----
> clients ----|firewall |
> |---------|--server 3----
This is different case, you want these "server ?" to be
gateways reachable with LVS-DR method. The gateways deliver the
incoming traffic directly to the clients.
> internet private net
>
>
> - I am currently looking into what if any changes are required to enable
> me to use the lvs gateway as part of a load balacing firewall.
May be only:
- Forwarding of ICMP packets from LVS
- Better bypass feature (per service, using input route calls)
Everything is in my TODO list but still testing is needed.
To allow this to work some things are required:
- route tagging - for easier marking of the packets. I.e. the fwmark
marking is an input for the routing but this is not enough. We need
a way LVS to learn which route is selected (the route to universe),
because it is hard to add so many ipchains -m rules that will not
match the traffic to directly connected targets. Then we have to add
virtual service by such tag (similar to the fwmark services).
IOW, with the current LVS versions you need something like
this:
ipchains -A input -m 1
ip rule add prio ... fwmark 1 table 1
ip route add local 0/0 dev lo table 1
ipvsadm -A -f 1 ...
ipvsadm -a -f 1 ...
And the problem is that when LVS receives marked packet we
are not sure whether this packet is locally delivered after hitting
a route from the local table or from any other table reached with
fwmark rule. More specific ipchains marking (synchronized with the
routing) is needed to mark only the packets that will be relayed to
the border gateways.
> Any thoughts on this idea.
Many, for example:
ip route add local 0/0 dev lo rtmark 1
ipvsadm -A -rtmark 1 ...
> -Tim.
Regards
--
Julian Anastasov <ja@xxxxxx>
|