|
Hello,
On Fri, 30 Apr 2004, Joseph Mack wrote:
> > These ranges are only for the connections created from
> > the 2.2 masquerading code, not for the LVS connections:
>
> I'm not thinking at all clearly.
>
> With LVS-NAT running a persistent connection virtual service
> (eg VIP:https) all connections will be coming out of the director
> from VIP:https. I was thinking about connections originating
> from boxes NAT'ed behind a NAT router, where the client
> connections come from high ports.
>
> In regular (non-lvs) NAT for 2.4, the client (high) ports are no longer
> restricted to 61k-64k?
Yes, this is an improvement in netfilter
> Do the NAT'ed ports collide with ports from connections made by clients
> on the NAT-router like they could with 2.2?
LVS makes sure such connections are not confirmed to
netfilter by using hook with more priority compared to the
confirmation function in LOCAL_IN. In such case the netfilter
connections are created and dropped on each packet. May be the
NFCT support has more chance in avoiding such collisions by
keeping the netfilter connection registered.
> Joe
Regards
--
Julian Anastasov <ja@xxxxxx>
|
