LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-NAT (without MASQ) and contacting real server directly?

To: Paul Wouters <paul@xxxxxxxxx>
Subject: Re: LVS-NAT (without MASQ) and contacting real server directly?
Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Sat, 1 Dec 2001 00:55:30 +0000 (GMT)
        Hello,

On Fri, 30 Nov 2001, Paul Wouters wrote:

> My problem is, I'd like to move this situation into place for other RIP's,
> but I don't want to break the current server. So connections to RIP
> directly should be possible. I've read similar things on the list, but I
> don't understand why this wouldn't work. Connecting from client to a RIP
> should just completely bypass all the lvs code, but it seems that the lvs
> code is confused, and things a RIP->client answer *should* be part of its
> NAT structure.

> it.  The LVS then sends out a port unreachable:
>
> 14:21:15.564637 > 1.2.3.1 > 1.2.3.198: icmp: a.b.c.d tcp port 64866 
> unreachable [tos 0xc0]

        The code that replies the ICMP can be removed but then
remains one problem: connection reusing. The client can select
port for direct talks with the RIP but if that port was used
some seconds before for CIP->VIP talks, it is possible LVS to catch
these replies as part from the previous connection life. LVS does not
spy the TCP headers and does not keep accurately the TCP state.
So, it is possible LVS not to detect that the client and the server
establish new connection over the same addresses and ports that are
still known as NAT connection. Even stateful conntracking can't notice
it because the CIP->RIP talks are not subject to NAT processing. When
LVS sees the replies from RIP to CIP it will SNAT them and this will
be fatal because the new connections is between CIP and RIP directly,
not from CIP->VIP->RIP. The other thing is that CIP even does not know
that it connections from same port to same server. It thinks there
are 2 connections from same CPORT: to VIP and to RIP, so they can live
even at the same time.

        So, such setup is dangerous. As for the ICMP replies, they
are only for anti-DoS purposes but may be are going to die soon.
There is still no enough reason to remove that code (it was not
first priority).

> I'm still using LVS 0.9.3. I see some NAT changes were made, but at least
> the changelog didn't seem to contain relevant updates. I'll try it with
> 0.9.7 but that one wouldn't compile ipvsadm out of the box.

        It is not changed there. You can remove it by hand.

> Paul

Regards

--
Julian Anastasov <ja@xxxxxx>



<Prev in Thread] Current Thread [Next in Thread>