LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [RFC PATCH] Using LVS as a way to provide load-balanced internet

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [RFC PATCH] Using LVS as a way to provide load-balanced internet
From: Ludo Stellingwerff <ludo@xxxxxxxxxxxxx>
Date: Fri, 29 Jul 2005 16:06:06 +0200
> what is the -j about here? you don't have a -g (or whatever) at the
> end of the line. Did you have to hack ipvsadm too? Are the gateway
> addresses private or public? Are dev1/2 public or private
> addresses?
>
>
> #ipvsadm -a -f 1 -j -r <gateway1> #ipvsadm -a -f 1 -j -r <gateway2>
>
>
Yes I have also send a patch for ipvsadm, introducing the reinject
director option.

>> And because of the reinjection you can normally SNAT/MASQ
>> traffic:
>
>
> Not sure what's going on here. dev1/2 are the output devices on the
> director and have private addresses? You're then NAT'ing these
> private addresses to what? Presumably the address on the gateway?

Time for asscii art:
                                              ------------- Internet
gateway 1------------------ ISP
                                             /                (e.g.
modem)     
                                        dev1 with Public address 1
                                          /
LAN ------------------> Router/Director
Private addresses            \
                                        dev2 with Public address 2
                                            \
                                             ------------- Internet
gateway 2 --------------------ISP

To match the outgoing (Forwarded) traffic I use a fwmark as selector
and introduced a LVS_netfilter hook at NF_FORWARD.

I use the Internet gateways as real servers. But like direct routing I
don't modify the traffic at all, I only modify the routing decision on
the director.

I could reach the same result using direct routing, but than I
couldn't SNAT the private addresses to public addresses. Therefor I
introduced the reinject director, which only changes the routing
decision and then returns to normal routing with NF_ACCEPT on the
hook. The packet will than go on like normal, but with a new route.

This effect is similar to the iptables ROUTE target, but with the
added features of LVS. (caching, persistence, etc.)

Hopefully this makes the situation clearer,
Greetings,
Ludo.

-- 
Ludo Stellingwerff

V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124

site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html


<Prev in Thread] Current Thread [Next in Thread>