|
Hi there..
I have a LVS setup with two directors direct routing to 4 real
servers. I have been trying to use the 'connlimit' patch from
Netfilter patch-o-matic on the director to restrict the number of
concurrent connections coming into the VIP. I have not been able to
get it working with the PREROUTING or FORWARD tables, and was
wondering if is due to LVS that connlimit can not seem to track
connections?
I have tried this on kernel 2.4.27/ipvs1.0.11 and kernel 2.6.7/ipvs1.2
using the patch-o-matic from CVS at www.netfilter-org. I can see that
connections directed at the director IP are being detected with
connlimit, but connections passing through the VIP to the real servers
are not.
iptables -t nat -I PREROUTING -p tcp --syn --dport 25 -m connlimit
--connlimit-above 2 --connlimit-mask 24 -j LOG --log-level info
--log-prefix " 2+ SMTP connections "
Any ideas how this can be made to work on the directors?
Kind regards, Stuart.
|
