Re: Active ftp w/ lvs NAT broken?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Active ftp w/ lvs NAT broken?
From: Horms <horms@xxxxxxxxxxxx>
Date: Wed, 30 Nov 2005 01:43:37 +0000 (UTC)
Mark de Vries <markdv.lvsuser@xxxxxxxxxx> wrote:
> On Wed, 23 Nov 2005, Joseph Mack NA3T wrote:
>> On Wed, 23 Nov 2005, Graeme Fowler wrote:
>> > Yes, netfilter/iptables does interact with LVS.
>> >
>> > Under LVS-NAT you need to make sure that the traffic
>> > exiting the director on the client side is what the client
>> > expects. That means SNAT (or masquerade).
>> the original implementation doesn't need any iptables rules;
>> the ftp helper and the lvs code handle it all. Unless
> That's exactly what I thought. But...
>> there's a change in spec (intentional that no-one has made
>> clear, or unintentional through bitrot), you still shouldn't
>> need iptables rules.
> Then aparently it is suffering from bitrot.
> Most examples use only a single IP on the director and act as masguerading
> box for the realservers too. In those simple setups, any connection not
> properly SNATed by ip_vs will be 'fixed' by the masquerade rule
> automagically... Maybee that's why not a lot of ppl notice the problem?
> I'll compile a kernel with debug support and see if I can prove/disprove
> any bitrot that way...

Please do. Ftp certainly should work if its on port 21 and the ip_vs_ftp
module is loaded. As of about a year or so ago ipvsadm loads that module
automatically if its sees a port 21 service.


<Prev in Thread] Current Thread [Next in Thread>