Re: LVS-DR and fwmarks question

[Matthew Crocker <matthew@xxxxxxxxxxx>]

> > Hello,
> >   I'm currently using a setup where I have individual webservers 
> > which are
> > using port based virtual hosts in apache. For instance, I have port 
> > 5678
> > and 5679 which map to ports 80 and 443 on a virtual host.  I'm 
> > currently
> > using a commercial solution to schedule these hosts and keep them
> > persistant together, however I'm hoping to switch these over to my 
> > LVS-DR
> > box.
> >
> >   It appears that the fwmark group is what I would want to do to keep
> > people going to both ports persistant, but from the documentation it
> > didn't appear that you could do port mapping while doing fwmarks.  I 
> > was
> > wondering if anyone had done this and if they could share how they 
> > made it
> > work if they had.  This would be for a shopping cart type application
> > where switching between port "80" and "443" were necessary for 
> > security,
> > but because the application uses php sessions it has to go back to the
> > same server each time.  It appears very easy to do if they were 
> > actually
> > listening on port 80 and 443 but since they're not I'm very confused 
> > about
> > the correct way to configure this.
So the client is going to 12.34.56.78:80 & 12.34.56.78:443  you want to 
redirect them internally to 10.0.0.1:5678 & 10.0.0.1:5679 respectively?
This can be done with a combination of LVS, fwmark and iptables DNAT

First step is to mark the packets with a fwmark

iptables -t mangle -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0 
-p tcp -m tcp --dport 80  -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0 
-p tcp -m tcp --dport 443  -j MARK --set-mark 0x1
Second step is to change the destination port to the correct port using 
DNAT
iptables -t nat -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0 -p 
tcp -m tcp --dport 80 -j DNAT --to-destination 12.34.56.78:5678
iptables -t nat -A PREROUTING -d 12.34.56.78/255.255.255.255 -i eth0 -p 
tcp -m tcp --dport 443 -j DNAT --to-destination 12.34.56.78:5679
Third step is to load balance based off of the fwmark with persistance.

ipvsadm -a -f 1 -s wlc -p 600
ipvsadm -a -f 1 -r 10.0.0.1:0 -g -w 1
ipvsadm -a -f 1 -r 10.0.0.2:0 -g -w 1


This is all off the top of my head but it should work.  Step two might 
be an issue because the iptable docs say the nat table only picks up 
socket creation packtes (aka SYN packets).
Hope this helps

-Matt



> The short answer is that you can't using LVS.
> But I wonder if it might be possible to change the destination
> port using nefilter before or after the packets hit LVS.
> Alternatively it would be possible to modify LVS to do this,
> the main issue in my mind would be working out a sane
> way to configure it.
>
> --
> Horms
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users