|
>From the HOWTO document (http://www.ssi.bg/~ja/nfct/HOWTO.txt):
"The conntrack support is useful for LVS-NAT setups and
for non-NAT methods if forward_shared flag is used to allow real
servers to use the director as default gateway. By this way, we have
proper conntrack state updated in reply direction."
It will only work if the director is the gateway for the realservers. My
understanding of conntrack is a little rusty, but as I understand it the patch
lets IPVS place the entry in the conntrack table as a new connection
(SYN_SENT). If the SYN/ACK from the realserver doesn't go through the director
then the conntrack entry can't be updated to ESTABLISHED.
Regards
Dean
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx on behalf of Alexander Piavka
Sent: Tue 21-Dec-04 6:36 PM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Cc:
Subject: LVS-DR + ipvs_nfct does not work
Hi,
i have a LVS-DR setup , the director has an iptables firewall
but is NOT default gateway of the realservers, thus it sees packets
in one direction only
the lvs doc states that:
IPVS always knows the conn state (NEW/RELATED/ESTABLISHED), it is
simply exported to the netfilter conntracking.
by the ipvs_nfct patch as i understand
i've recompiled the director with ipvs_nfct patch
andenabled it with:
echo 1 > /proc/sys/net/ipv4/vs/conntrack
but the connection tracking iptables rules still work in the same way,
the state of connections is always NEW without the syn flag (except the
first packet) and is not moved to ESTABLISHED.
Does that means that the patch does not work as expected, as Julian
states in the lvs doc this patch sould work then director is not the
gateway of realservers also.
please advice
|
