Hi again!!!
I don't know if what I'm posting are nonsenses or if it's really as
obscure that nobody understands me, but I feel really sad because
nobody says absolutely nothing.
I'd be happy if somebody could say something about my problem ...
maybe a THAT'S IMPOSSIBLE ... or TRY THIS ... or something ... but
there are no answers at all ... I don't understand.
Well, let's see if somebody can answer me. I just wanted to know if
there's a way to know if a packet has passed through ipvsadm in order
to catch it iptables or ebtables or something. I've seen that if it's
routed, it gets to the destination with SRC_MAC=DIRECTOR_MAC but if
it's delivered locally, I see SRC_MAC=CLIENT_MAC.
It would be great if anyone could tell me that packets that have
passed through ipvsadm have "something" (a bit in ip headers, a
MAC_ADDRESS change, ... , something that I could check in
iptables/ebtables).
If this isn't the place to ask for these questions, please let me know
and I'll go away.
Thanks.
On 21/09/05, mquich <mquich@xxxxxxxxx> wrote:
> On 19/09/05, mquich <mquich@xxxxxxxxx> wrote:
> > On 16/09/05, mquich <mquich@xxxxxxxxx> wrote:
> > > On 16/09/05, mquich <mquich@xxxxxxxxx> wrote:
> > > > It looks like if when I send the packets again to my machine with
> > > > "REDIRECT", then ipvs can see them but if it has a default gateway, it
> > > > forwards through it and ipvs can't see them.
> > > >
> > > > I'm going to make more tests ... but if anyone could help, please let
> > > > me know
> > > >
> > >
> > > Hi again!
> > >
> > > I've tracked packets through iptables and I see that when ipvs hits
> > > the packet (when I use "REDIRECT") is when the packets passes through
> > > "filter input table" of iptables. When ipvs doesn't hit, the packet
> > > doesn't pass through that table, it is forwarded directly.
> > >
> > > Do ipvs check the packets when they pass through "filter input table"
> > > of iptables or am I wrong?
> > >
> > >
> > > Thanks!
> > >
> >
> > No hints about this? Anybody knows how to solve this? What am I doing wrong?
> >
>
> I go on with my own battle, here's what I've discovered:
>
> 1. Packets get to iptables and pass through these chains:
> mangle_prerouting->nat_prerouting->routing_decission->...
> 2. My problem is that if the director (LVS1) catches the packet in
> "nat_prerouting" using "REDIRECT" in iptables in order to send it to
> dansguardian, it changes DST_IP to DR_IP and DST_PORT to
> DANSGUARDIAN_PORT. After this, ipvs sees the packet and if it decides
> to forward it to another realserver, let's say LVS2, this packet
> arrives to it with DST_IP and DST_PORT incorrect.
> 3.I've been testing "ip route ..." & "ip rule ..." commands and "tc"
> in order to make packets visible to ipvs before they arrive to
> "nat_prerouting" but I haven't been able to get it.
>
> And here's is my question ... Is there any way or patch to apply (to
> kernel, ipvs, iptables, ...) that makes ipvs see the packets before
> they get to "nat_prerouting"?
>
> I'd be very pleased if some of LVS gurus could help me!!!
>
> Thanks!
>
|