|
Hello,
On Wed, 7 Nov 2001, Tao Zhao wrote:
> The section did raise the same question in experiment 3, but no answer is
> given.
The answer was given in my previous postings. I noted
that in another thread are explained the possible reasons why TUN
setup could be wrong. In short:
1. rp_filter protection in real server (tunl0) can drop the requests
Please, show us these values:
/proc/sys/net/ipv4/conf/all/rp_filter
/proc/sys/net/ipv4/conf/default/rp_filter
/proc/sys/net/ipv4/conf/tunl0/rp_filter
If tunl0/rp_filter is set (after the first address is added
to it then may be this is caused from default/rp_filter=1
2. in the real server the VIP _MAY_ be hidden (if it is remote host)
to avoid problems with the RS's gateway. If it is on the same shared
media as the director then VIP _MUST_ be hidden
3. the RS's gateway _MUST_ pass the spoofed replies (saddr=VIP)
from real server to client
No other problems are known.
> I followed the instruction in the document yesterday to set VIP on dummy0
> instead of tunl0. But the real server refused to reply the
> telnet request from client.
>
> RS$ip route get from CIP to VIP iif tunl0
> gave me a error, while
Good reason IPIP not to work. Then I'm wondering how
you setup works at all. IMO, your client connects directly to the
real server, may be the tcpdump can show it. The director does not
participate in these talks. ARP problem.
> RS$ip route get from CIP to VIP iif dummy0
> local VIP from CIP dev lo src VIP cache <local> iif dummy0
Commands as this in the form "from universe to local_ip iif DEV"
should return result starting with the word "local" for any DEV while
DEV/rp_filter=0
You can try it even with "iif dummy0"
> So I guessed that since I didn't set VIP on tunl0 the real server silently
> discard packets received from tul0 with VIP.
Wrong assumption. Try to replace the VIP in the above command
with some valid local IP and you will receive the same result.
> Then I added VIP on tul0, and LVS/TUN worked.
I already mentioned that tunl0 must be up and running even
if you add hidden VIP to dummy or lo device:
ifconfig tunl0 0.0.0.0 up
> Still I have those same questions:
> 1. Why setting VIP at dummy0 only didn't work? (some route rule needed?)
Because when tunl0 is down you can't receive IPIP packets.
If it is up, then tunl0/rp_filter should be 0.
> 2. What's the relation between tunl0 and dummy0?
tunl0 is special device, reread the current thread. The kernel
automatically redirects the IPIP through its default tunnel (created
when tunl0 is created) for decapsulation.
> 3. Can I give multiple VIPs to tul0? I know I can do that to dummy0, but
> since dummy0 didn't work ...
You can add many IPs to any device. I don't remember for any
restrictions. It even does not matter on which device the IP addresses
are added. But there are some consequences when IP address is added:
the kernel can create link routes if the IP address is primary. This
is one of the reasons the people define IPs on ethernet devices - they
create automatically link routes through this device.
> Thanks,
> -Tao
Regards
--
Julian Anastasov <ja@xxxxxx>
|
