|
Hi,
Yeah, that is mostly what I meant. I am not using LVS for my firewall, I just
wanted to use
netfilter on this box to lock it down. I shouldnt need to do that though, so I
dont think
that I want to mess with this patch right now. I think that Ill try the
IProute2 way, just
because I think it is idealogically superior.
It is superiour in all aspects ;).
Wait, before I go trudging off into iproute2
land, let me ask this. If I go the iproute2/keepalived route then will I be
able to use
Netfilter without any kernel patches? That is the whole idea right?
Yes, the iproute2 framework doesn't conflict with netfilter or at least
not to the point you will be exploiting it the next couple of months
until you start doing nasty policy routing tricks which throw netfilter
out of its concept :).
Is iproute2 as easy to set up as the eth0:185 syntax?
no it's a nightmare, which is why people are still using the alias style of
setting up IPs
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.policy_routing.html
Joe, there are some issues with the text:
o the basic problem with route/netstat -rn is, that they only see the
main table, which is rather limited.
o iproute2 very well knows the notion of ip aliases by using labels just
like ifconfig. It's not up to the tool to decide if labels work or
not. The misconception people have with ip aliasing is that people
think an aliased interface is a logically separated interface while
it is _not_. And this is the case since 2.1.128 or so.
o ipchains doesn't recognize alias neither because since the _2.2.x_
kernel we moved to the iproute2 architecture, not in the 2.4.x as
the howto lists. Packet filtering on aliased stopped working after
the decay of ipfwadm in the old 2.0.x kernel days. Today you can
still filter on so-called ip aliased but as the name implies you
specify the IP ADDRESSS as a classifier and if you want to restrict
it you add the underlying _physical_ interface definition to the
classifying rule.
o iproute2 is compatible with ifconfig/route/netstat but not vice versa.
The two biggest issues people new to iproute2 have to struggle with
are:
+ if you add secondary ip addresses without a label (alias interface)
ifconfig is confused and doesn't print the information
+ if you add rules for branching into different routing tables than
the main routing table, route or netstat -rn will not show you those
routes. This also the case for blackhole, throw, unreachable and
prohibit routes.
Ahh.. Well, I like a good scary nightmare every now and again. That is why I
learned VI
after all!
Vi(m) is not scary at all, it's extremely straightforward and built for
ease-of-use :)
Thanks again for all the advice and pointers, I would still be scratching my head if I
didnt have help like this. Maybe I can even contribute to this project in some way. I
actually like writing documentation, maybe I could help out with that once I
understand
it more. Of course I would have to have you all look it over, but that is
obvious.
If you guys are interested I'll offer my first semi-official release of
some of the replacement tools I've written for ifconfig/route. You can
download them from (just uploaded):
http://www.drugphish.ch/~ratz/iproute2/
HTH and best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
|
