LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-DR w/ fwmarks and no VIP on director

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-DR w/ fwmarks and no VIP on director
From: Sheldon Hearn <sheldonh@xxxxxxxxxxxxx>
Date: Thu, 08 Apr 2004 16:00:14 +0200
On Thu, 2004-04-08 at 15:17, Joseph Mack wrote:

> > Yeah, I just can't see it at all.  I've read HOWTO.fwmark and section
> > 8.2. (Routing to and accepting packets by a VIP-less director), and I
> > don't see anything that turns on a light bulb above my head. :-)
> 
> You need to arrange for the director to accept packets for the VIP. With
> 2.0 and 2.2 this was done with transparent proxy. The 2.4 TP doesn't work
> for 2.4 for LVS and you need to apply a patch to get it to work.

Oooooh, then I really _did_ misunderstand quite horribly.  I thought it
was possible to produce a VIP-less director, but that changes in the 2.4
kernel had made this (VIP-less director) incompatible with transparent
proxy.  I didn't realize that transparent proxy is actually the
mechanism through which a VIP-less director is possible!

Now I get why you asked Horms whether TP would work with 2.6. :-)

Damn, that's a bit of a spanner in the works.  But not completely
unmanageable, I guess.  I'll ask Google for a way to configure whole
ranges of aliases on network interfaces on Linux.

And now I guess I hold thumbs for word from Horms on VIP-less director
support in 2.6 kernels.

> > The real trouble will come when I have to figure out how to get the
load
> > balancers on the other side of the Zorp cluster to ensure that return
> > traffic goes back through the proxy it came in through. :-)
> 
> I have not a clue what this means.

Well, I'm building a cluster of transparent TCP proxy hosts.  Since the
TCP proxies are bidirectional, it's important that all the traffic
associated with a single TCP connection pass through a single TCP proxy
host.

Therefore, not only do I need a load balancer between the proxies and
the outside world, but I also need a load balancer between the proxies
and the protected, interior hosts.  The interior load balancer will have
to keep track of the Ethernet source address of the proxy host
associated with each tracked connection, so that return traffic from the
protected, interior hosts passes out through the correct proxy host.

But I haven't done my homework on that front, so I'm not asking for help
yet.  I'll ask for help on that problem once I've read the docs with
that problem in mind. :-)

Thanks,
Sheldon.


<Prev in Thread] Current Thread [Next in Thread>