Re: can I use ip route to dst:port

To:	Joseph Mack <mack.joseph@xxxxxxx>
Subject:	Re: can I use ip route to dst:port
Cc:	"lvs-users@xxxxxxxxxxxxxxxxxxxxxx" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, Roberto Nibali <ratz@xxxxxx>
From:	Julian Anastasov <ja@xxxxxx>
Date:	Thu, 21 Mar 2002 23:49:25 +0000 (GMT)

        Hello,

On Thu, 21 Mar 2002, Joseph Mack wrote:

> Can I route by dst_port?
>
> I want to send all packets from RIP to 0/0:80 through the
> default gw, and all other packets from the RIP (eg to
> 0/0:other ports) to the DIP.

        Hm, difficult task, may be possible in 2.4 with
fwmark routes for locally generated traffic, didn't tried it.
The case where you can't do a route call based on source or
destination IP is difficult.

> In my normal setup for VS-DR I send packets from the VIP
> on the realservers to the default gw, while all packets
> from the RIP I send to the DIP. I do this because I

        This is different, if you can differentiate the
traffic by source IP then the picture is different:

ip rule add prio 50 table main
ip rule add prio 101 from VIP table defgw
ip rule add prio 102 from RIP table dr

> assume that only packets from the VIP on the realserver
> need to get to the outside world. There are normally
> no clients on the realservers making calls to 0/0.
> Any such packets are sent to the DIP, where a filter
> drops them.
>
> However in the case of a 3 tier system (eg the realservers
> are squids), a client on the realserver will be making
> calls to 0/0:80. It would be nice to route only those
> packets and arrange for the rest of the packets to 0/0
> to be dropped.

        Such setups are usually done in this way:

- the clients have the director as default gateway

- the director delivers locally the needed traffic:

# avoid tproxy for traffic destined to directly attached network, if
# needed, if not, then try to proxy this traffic by moving the
# rule below the fwmark ip rule
ip rule add prio 50 table main

# deliver locally the HTTP traffic destined to universe
ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100

# reach universe for non-http traffic
ip rule add prio 200 table 200
ip route add default table 200 ...

# mark the HTTP traffic, related ICMP is independent from such rules
ipchains -A input -p TCP -s CLIENT_NET -d 0.0.0.0/0 80 -m 1 -j ACCEPT

ipvsadm -A -f 1 -s lblcr
ipvsadm -a -f 1 -r squid1 -g
ipvsadm -a -f 1 -r squid2 -g

> Thanks
>
> Joe

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread]	Current Thread	[Next in Thread>
can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Padraig Brady Re: can I use ip route to dst:port, Roberto Nibali Re: can I use ip route to dst:port, Roberto Nibali Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov <= Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov Re: can I use ip route to dst:port, Joseph Mack Re: can I use ip route to dst:port, Julian Anastasov Re: can I use ip route to dst:port, mack@xxxxxxxxxxxx

Previous by Date:	Re: LVS-NAT two nic / two network problem, Joseph Mack
Next by Date:	Re: lvs 1.0.0 and 2.4.18 kernel, Julian Anastasov
Previous by Thread:	Re: can I use ip route to dst:port, Joseph Mack
Next by Thread:	Re: can I use ip route to dst:port, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]