Re: Bug or "feature"?

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: Bug or "feature"?
From:	Dean Holland <dean.holland@xxxxxxxxxxxxxx>
Date:	Thu, 16 Dec 2004 09:42:03 +0800

We are using the patch from the following URL:

http://www.ssi.bg/~ja/nfct/

which adds the netfilter conntrack entries for LVS-NAT or LVS-DR with
the director as the gateway (which is the setup I run here).


On Wed, 2004-12-15 at 19:52 +0000, Malcolm Turnbull wrote:
> 
> I think LVS uses the INPUT and OUTPUT chain rather than FORWARD
> which is why its not recommended to be used as a firewall as well.
> 
> I could be wrong as usual.....
> 
> Regards,
> 
> Malcolm Turnbull.
> 
> Loadbalancer.org Limited
> +44 (0)7715 770523
> http://www.loadbalancer.org/
> 
> 
>  " When a single point of failure is not an option"
> 
> Why not try our online demonstration 
> <http://www.loadbalancer.org/demo.html> ? Or get answers to common 
> questions <http://www.loadbalancer.org/fud.html> ?
> 
> 
> 
> Klavs Klavsen wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi guys,
> >
> > I am running LVS with NAT setup (kernel 2.4.27) and have noticed a
> > serious problem (with how it works with Netfilter) which I wanted to
> > know if really is a bug - or "feature"?
> >
> > What I've noticed, is that when I get requests to my virtual addresses -
> > it forwards these to the realservers - but appereantly the request is
> > NOT added to the Netfilter ESTABLISHED table - so the response from the
> > realserver is not allowed out - unless I specificly allow everything out
> > from the realservers service-ports (http and https in this case) :(
> >
> > Am I just mistaken, in thinking a connection established from the
> > outside should be added to the LVS (with the "by LVS" rewritten
> > address), so it will match an ESTABLISHED on the way out?
> >
> > Thank you in advance
> > - --
> > Regards,
> > Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk
> > PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62
> >
> > "Those who do not understand Unix are condemned to reinvent it, poorly."
> > ~  --Henry Spencer
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> >
> > iD8DBQFBwIH+PToLeX4GPGIRAjtYAJ4tNWAAsIwu4wyVeG9NlcDOfchhSACfYNa8
> > bTyBIwyrVWB4/BGhDx5HbWo=
> > =Hk8k
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
Bug or "feature"?, Klavs Klavsen Re: Bug or "feature"?, Malcolm Turnbull Re: Bug or "feature"?, Dean Holland <= Re: Bug or "feature"?, Klavs Klavsen Re: Bug or "feature"?, Dean Holland

Previous by Date:	Re: Heartbeat start up problem, Eric Chan
Next by Date:	LVS on Sparc64, Kenny Chamber
Previous by Thread:	Re: Bug or "feature"?, Malcolm Turnbull
Next by Thread:	Re: Bug or "feature"?, Klavs Klavsen
Indexes:	[Date] [Thread] [Top] [All Lists]