|
Hi
On Tue 29 Mar 2005 13:09:58 BST , Robbert-Jan Roos <rj-list@xxxxxxx> wrote:
Is there a clean way to connect to the virtual ip of a LVS-NAT
director from a realserver?
<snip>
Much discussed; see various threads with subjects such as "realserver as
client". In a nutshell there is no easy way to make it work, but... read on.
<snip>
Since the rip1 send out a packet to vip, but receives the answer from
rip2 it cannot setup a tcp connection. The cleanest solution to this
(i guess) would be to implement source routing on the lvs:
iptables -t nat -A POSTROUTING -s rip1 -d rip2 -j SNAT --to-source router
Unfortunately this doesn't work. The packet is not rewritten.
What I'm trying to accomplish is this chain:
rip1 -> vip # outgoing from rip1
rip1 -> rip2 # dnat by lvs
router -> rip2 # snat by lvs
rip2 -> router # response from rip2
vip -> router # reverse the dnat
vip -> rip1 # reverse the snat
Is this possible?
Presently, no. The way the packet traverses the various tables is modified by
the IPVS code, such that it's not possible to do the SNAT you want. This
happens in the POSTROUTING part of the nat table, and at this point the IPVS
code hooks the packet out of that table and does its' own thing before placing
the packet on the wire. Therefore, any POSTROUTING magic you wanted to do with
netfilter/iptables is ignored.
However...
I worked around this by mixing up LVS-NAT for "external" clients, and
LVS-DR for
"internal" clients - ie. the realservers. It's complex, but it doesn't involve
any terrible magic. See
http://www.in-addr.de/pipermail/lvs-users/2005-March/013517.html
for a more detailed explanation. An interesting, and useful,
side-effect of this
is that when a realserver wants to connect to a VIP which it is
handling, it'll
connect to itself - which reduces greatly the amount of traffic traversing the
RS -> Director -> RS network and means that the amount of actual
load-balancing
is reduced too.
Hope that helps
Graeme
| 