On 19/09/05, mquich <mquich@xxxxxxxxx> wrote:
> On 16/09/05, mquich <mquich@xxxxxxxxx> wrote:
> > On 16/09/05, mquich <mquich@xxxxxxxxx> wrote:
> > > It looks like if when I send the packets again to my machine with
> > > "REDIRECT", then ipvs can see them but if it has a default gateway, it
> > > forwards through it and ipvs can't see them.
> > >
> > > I'm going to make more tests ... but if anyone could help, please let me
> > > know
> > >
> >
> > Hi again!
> >
> > I've tracked packets through iptables and I see that when ipvs hits
> > the packet (when I use "REDIRECT") is when the packets passes through
> > "filter input table" of iptables. When ipvs doesn't hit, the packet
> > doesn't pass through that table, it is forwarded directly.
> >
> > Do ipvs check the packets when they pass through "filter input table"
> > of iptables or am I wrong?
> >
> >
> > Thanks!
> >
>
> No hints about this? Anybody knows how to solve this? What am I doing wrong?
>
I go on with my own battle, here's what I've discovered:
1. Packets get to iptables and pass through these chains:
mangle_prerouting->nat_prerouting->routing_decission->...
2. My problem is that if the director (LVS1) catches the packet in
"nat_prerouting" using "REDIRECT" in iptables in order to send it to
dansguardian, it changes DST_IP to DR_IP and DST_PORT to
DANSGUARDIAN_PORT. After this, ipvs sees the packet and if it decides
to forward it to another realserver, let's say LVS2, this packet
arrives to it with DST_IP and DST_PORT incorrect.
3.I've been testing "ip route ..." & "ip rule ..." commands and "tc"
in order to make packets visible to ipvs before they arrive to
"nat_prerouting" but I haven't been able to get it.
And here's is my question ... Is there any way or patch to apply (to
kernel, ipvs, iptables, ...) that makes ipvs see the packets before
they get to "nat_prerouting"?
I'd be very pleased if some of LVS gurus could help me!!!
Thanks!
|