|
Sorry it took me so long to post a reply, been pretty busy lately...
Roberto Nibali wrote:
Hello,
First off, on offense to anyone, especially at the author of the patch.
It was listed on the linuxvirtualserver.org webpage, in the LVS-HOWTO,
section 21 or so.
Have not found it, is there a *diff version I could throw my eyes over?
http://www.lvwnet.com/vince/files/ipvs/linux-2.4.19-ipvs-1.0.7-antefacto.patch.tar.bz2
also I have a document I've been working on with (hopefully helpful) info
about setting up an LVS-NAT Director (running keepalived) to function as a
stateful firewall, which also happens to use proxy-arp.
Feel free to look it over and pick it apart.
http://www.lvwnet.com/vince/linux/Keepalived-LVS-NAT-Director-ProxyArp-Firewall-HOWTO.html
What kind of tests did you run?
Well I haven't tried to crash the firewall/Director or anything, but to sum
it up, the firewall box is doing its job now just as well as it was before I
started dinking around with LVS/IPVS. It is letting traffic come IN that I
have IPVS virtual services for, and letting it be FORWARDED to the Real
Servers. It's not getting in the way of IPVS connections in progress, nor
does it appear to be letting traffic through which is NOT related to
connections already in progress.
Guys, I hope you _do_ realize that not even netfilter has a properly
working connection tracking. Without the tcp-window-tracking patch,
netfilter allows you to send arbitrary packets through the stack. It's a
well-known fact and even the netfilter homepage at some point mentioned it.
Point taken. But that's not an IPVS or Antefacto problem.
I take it that you didn't do any tests of the patch or netfilter in
general with a packet generator (where you can modify every last bit of
an skb).
No, I can't say that I have. Perhaps you would be willing to put some of
that expertise you have to work?
And, to your interest, LVS _does_ have sort of connection state tracking.
I am aware of that. But the point about all of this (and the reason that
the folks who actually wrote the Antefacto patch did so) is that IPVS works
independently of netfilter's connection tracking. So Netfilter doesn't have
a CLUE about all those connections going on (or not going on) to IPVS-based
services and RealServers.
But if you want your LVS Director to also be your main firewall, that means
you have to be able to tell your firewall box, in ways that you can
communicate your wishes with iptables commands, what kind of traffic you
want to allow to go in/out of your LVS. But that's pretty hard to do since
IPVS unmodified doesn't bother to let netfilter in on the loop of what it's
doing.
The antefacto patch allows netfilter and IPVS to communicate about all that
traffic going through your LVS, so that at the iptables ruleset level, it is
possible to write rules that work for your LVS.
If netfilter's connection tracking is broken, then it's broken -- IPVS,
Antefacto, or not.
cheers,
vince
|
