|
> what is the -j about here? you don't have a -g (or whatever) at the
> end of the line. Did you have to hack ipvsadm too? Are the gateway
> addresses private or public? Are dev1/2 public or private
> addresses?
>
>
> #ipvsadm -a -f 1 -j -r <gateway1> #ipvsadm -a -f 1 -j -r <gateway2>
>
>
Yes I have also send a patch for ipvsadm, introducing the reinject
director option.
>> And because of the reinjection you can normally SNAT/MASQ
>> traffic:
>
>
> Not sure what's going on here. dev1/2 are the output devices on the
> director and have private addresses? You're then NAT'ing these
> private addresses to what? Presumably the address on the gateway?
Time for asscii art:
------------- Internet
gateway 1------------------ ISP
/ (e.g.
modem)
dev1 with Public address 1
/
LAN ------------------> Router/Director
Private addresses \
dev2 with Public address 2
\
------------- Internet
gateway 2 --------------------ISP
To match the outgoing (Forwarded) traffic I use a fwmark as selector
and introduced a LVS_netfilter hook at NF_FORWARD.
I use the Internet gateways as real servers. But like direct routing I
don't modify the traffic at all, I only modify the routing decision on
the director.
I could reach the same result using direct routing, but than I
couldn't SNAT the private addresses to public addresses. Therefor I
introduced the reinject director, which only changes the routing
decision and then returns to normal routing with NF_ACCEPT on the
hook. The packet will than go on like normal, but with a new route.
This effect is similar to the iptables ROUTE target, but with the
added features of LVS. (caching, persistence, etc.)
Hopefully this makes the situation clearer,
Greetings,
Ludo.
--
Ludo Stellingwerff
V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124
site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
|
