After looking through your situation below, I believe that this
would work properly if you removed the post_routing hook from ip_vs_conn.c
(or did some #ifdef'ing to replace the contents of the existing hook with
"return NF_ACCEPT").
This way your packets could continue through the netfilter mechanism
and be SNAT'd properly.
I don't think that routing is an issue with SNAT if all you want to
do is masquerade the source address to force responses to come back through
a particular (and thus the correct route is the one you would have used
anyway).
As a caveat, I'm not 100% certain why the ip_vs_post_routing()
routine was put there (and what things would break by effectively removing
it). It seems to me that all it's doing is preventing conntrack entries
from being created for packets leaving the box. While this is a good thing
under most circumstances, it is certainly undesireable for your situation.
Can one of the core LVS guys tell me if I'm missing something here?
I've done something similar to what I've described above and it seems to
work great for me in my environment.
Rodger Erickson
> -----Original Message-----
> From: sofox [mailto:sofox@xxxxxxx]
> Sent: Tuesday, January 29, 2002 3:08 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: lvs-nat & SNAT
>
>
> Hi,
>
> Is it true that packets pass through lvs-nat won't pass
> through iptables.POSTROUTING chain any more?
>
> Our network looks like following.
>
> IDC_A----------LB_A-------------------------------LB_B--------
> -----IDC_B
> 203.x.y.z 10.0.01 |
> 10.0.0.2 61.a.b.c
> | 10.0.0.254
> ROUTER
>
> |192.168.8.254
> |
>
> ------------------------- 192.168.8.x
> [REAL SERVERS]
>
> On LB_A:
> ipvsadm -A -t 203.x.y.z:80 -s lc
> ipvsadm -a -t 203.x.y.z:80 -r 192.168.8.1:90 -m
> ipvsadm -a -t 203.x.y.z:80 -r 192.168.8.2:90 -m
> ...
> ipvsadm -a -t 203.x.y.z:80 -r 192.168.8.n:90 -m
>
> On LB_B:
> ipvsadm -A -t 61.a.b.c:80 -s lc
> ipvsadm -a -t 61.a.b.c:80 -r 192.168.8.1:90 -m
> ipvsadm -a -t 61.a.b.c:80 -r 192.168.8.2:90 -m
> ...
> ipvsadm -a -t 203.61.a.b.c:80 -r 192.168.8.n:90 -m
>
> Objective: Access cluster through both load balancer LB_A and LB_B.
>
> Obviously, the key problem is that we must desing a method
> response packet for those
> requests come in from LB_A must be send out through LB_A.
>
> I tried to perform SNAT on both LB, like
> On LB_B:
> iptables -t nat -A POSTROUTING -d 192.168.8.0/24 --dport 90
> -j SNAT --to-source 61.a.b.c
>
>
> On LB_A:
> iptables -t nat -A POSTROUTING -d 192.168.8.0/24 --dport 90
> -j SNAT --to-source 203.x.y.z
>
> Unfortunately, both LB_A and LB_B don't seems do SNAT to net
> 192.168.8.0/24
>
> Any best resolvents other than add two linux box and perform
> SNAT before load balancer?
>
> Oscar
>
> .)îÅX«¶æ¥Iêïzº+‚f¢–)à–+-–û.±êì.)îÅX«¶æ¥Iêïzº+?'§v·ª¹ë-²Ú%¾Ë¬z»
> +z«ž²ÒâžìUŠ»njTž®÷«¢¸(®
> -¢m§ÿðçi×kuïæj)fjåŠËb?ú?–û.±êì
>
|