LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

antefacto patch successful against ipvs1.0.7 and 2.4.19 kernel

To: LVS List <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: antefacto patch successful against ipvs1.0.7 and 2.4.19 kernel
From: Vinnie <listacct1@xxxxxxxxxx>
Date: Mon, 14 Apr 2003 19:12:04 -0400
Hi everyone,

With Ben North's very helpful information, I managed to hand-fit the "antefacto" patches into v1.0.7 of the IPVS source and 2.4.19 kernel source. After completing the patch work, I ran a diff against the whole kernel tree, to come up with a "single kernel patch" of IPVS 1.0.7 for kernel 2.4.19, *WITH* the antefacto patches in place also.

(for those unfamiliar, the Antefacto patches bring enough of netfilter's connection tracking code into IPVS to allow an LVS(-NAT) director also function as a stateful inspection-capable iptables firewall also, so that even traffic destined for a VIP/realserver can be statefully-inspected by your iptables firewall ruleset).

I know 1.0.8 just came out so this may not be quite as interesting as it would have been a few days ago... ;)

I've been running an LVS-NAT director with this setup for over a week now and haven't seen any probs yet.

Anyway, if anyone is interested in a copy of this "antefacto-enabled" IPVS v1.0.7 single-kernel-patch for kernel 2.4.19, point your browser to:

http://www.lvwnet.com/vince/files/linux-2.4.19_ipvs1.0.7_single-patch+antefacto-netfilter-conntrack.zip

and pick up a copy. Ben North looked over what I did, and advised me that there are a couple of .orig files in the diff, so I will probably need to clean them up and re-diff for a cleaner patch.

But as far as I can tell here with a mildly-busy setup, running 13 LVS-NAT virtual services on the firewall/director (a P166-MMX), it is chumming right along.

Please ignore the lack of much anything else useful on my linux web page. Gotta get away from hands-on long enough to update the webpage with some information. ;)

==========

Any chance the maintainers of the IPVS code would RE-consider bringing the Antefacto code into the main IPVS source code? It really is a good feature (stateful inspection of VIP traffic in the firewall scripts), and I imagine there would be many folks that would consider this useful. Why run a separate firewall box if you can have LVS director and firewall on the same box (and not lose any functionality)? You can make that 2nd box a hot standby director/firewall in case the first one fails... ;)


<Prev in Thread] Current Thread [Next in Thread>