Re: Problem solved .. but unable to use VIP for all ports using FW mark

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: Problem solved .. but unable to use VIP for all ports using FW mark
From:	Ranga Nathan <kairanga@xxxxxxx>
Date:	Sun, 20 Nov 2005 00:52:56 -0800

When I set the firewall marks based on the destination like below,everything worked.

ild2:~ # iptables -t mangle -A PREROUTING -d 172.21.113.89/32 -j MARK--set-mark 100

I was going by the examples inhttp://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.fwmark.html whichset the mark on the source!


Wasted more than 2 hours trying all the options!
:-(

The

Ranga Nathan wrote:

I traced it down to my ldirectord configuration. I assumed that theVIP is available for all ports. But the configuration opens only port80 and I was testing with ssh connection. I changed the port to 22,and it worked fine.Now I really want to cluster for all ports for a given VIP. Accordingto the instructions I should use a firewall mark for this. So I now have:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

all -- 172.21.113.89 anywhere MARK match0x64


and in ipvsadm.rules:
-A  -f 100 -s rr -p
-a -f 100  -r 172.21.113.87  -g -w 1
-a -f 100  -r 172.21.113.88  -g -w 1

and the ldirectord configuration is:
checktimeout=20
checkinterval=5
autoreload=yes
quiescent=no
logfile="info"
virtual=100
   real=127.0.0.1:0 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.87:0 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.88:0 gate 1 ".healthcheck.html" "OKAY"
   service=http
   checkport=80
   protocol=fwm
   scheduler=wrr
   checktype=negotiate
   fallback=127.0.0.1

But all access to the 172.21.113.89 go to the load director!

Ranga Nathan wrote:

When a real server goes down ( I forced reboot), ldirectord does notremove the entry from ipvsadm table. As a result a reconnection tothe common IP from the same client fails. It tries to go to the sameclient. I am using roundrobin. I expect ldirectord to remove an entryas soon as it loses the http link. From then on any new connectionshould use the remaining real servers.


This is a shot of my ipvsadm  watch ...

Every 2s: ipvsadm -L -n Fri Nov 1823:05:32 2005


IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
 -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.21.113.89:80 wrr
 -> 172.21.113.88:80             Route   1      0          0
 -> 172.21.113.87:80             Route   1      0          0
TCP  172.21.113.89:0 rr persistent 360
 -> 172.21.113.88:0              Route   1      0          0
 -> 172.21.113.87:0              Route   1      1          0


Here is the config for ldirecgtord ( I created based on an example)

checktimeout=20
checkinterval=5
autoreload=yes
quiescent=no
logfile="info"
virtual=172.21.113.89:80
   real=127.0.0.1:80 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.87:80 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.88:80 gate 1 ".healthcheck.html" "OKAY"
   service=http
   checkport=80
   protocol=tcp
   scheduler=wrr
   checktype=negotiate
   fallback=127.0.0.1

Here is the network config for the load director:
eth0      Link encap:Ethernet  HWaddr 00:08:74:32:4B:73

inet addr:172.21.112.1 Bcast:172.21.115.255Mask:255.255.252.0

         inet6 addr: fe80::208:74ff:fe32:4b73/64 Scope:Link
         UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:3542 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2250 errors:0 dropped:0 overruns:0 carrier:0
         collisions:2 txqueuelen:1000
         RX bytes:449504 (438.9 Kb)  TX bytes:261717 (255.5 Kb)

eth0:0    Link encap:Ethernet  HWaddr 00:08:74:32:4B:73

inet addr:172.21.113.89 Bcast:172.21.115.255Mask:255.255.252.0

         UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
ldirectord not removing entries when real server is down, Ranga Nathan Problem solved .. but unable to use VIP for all ports using FW mark, Ranga Nathan Re: Problem solved .. but unable to use VIP for all ports using FW mark, Ranga Nathan <= Re: Problem solved .. but unable to use VIP for all ports using FW mark, Horms

Previous by Date:	Problem solved .. but unable to use VIP for all ports using FW mark, Ranga Nathan
Next by Date:	[ldirectord]: proxy_http test for Squid proxy with additionnal modules (squidguard, dansguardian, antivirus...), Lemaire, Olivier
Previous by Thread:	Problem solved .. but unable to use VIP for all ports using FW mark, Ranga Nathan
Next by Thread:	Re: Problem solved .. but unable to use VIP for all ports using FW mark, Horms
Indexes:	[Date] [Thread] [Top] [All Lists]