LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-TUN setup - responses from realserver not being let through

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: LVS-TUN setup - responses from realserver not being let through
From: Per Jessen <per@xxxxxxxxxxxx>
Date: Fri, 15 Sep 2006 15:17:07 +0200
Per Jessen wrote:

>> o There's no rp_filter enabled on the RS?
> 
> # cat /proc/sys/net/ipv4/conf/all/rp_filter
> 1
> 
> I had to go and read up on that setting - I'm getting a feeling it
> should perhaps be 0, not 1?  Looks like my SUSE 10.1 sets it by
> default.

I've just toggled rp_filter, but it had no visible effect. 

However, I read a bit of RFC1812 - which is what rp_filter refers to -
on the topic of source address validation. 

With my director being 88.198.41.117, and one real server being
88.198.7.133, that is quite different networks, possibly different
datacentres, is it likely that the router for the real server is
discarding my response packets with src=881.98.198.122 due to:

(from RFC1812):
"A router SHOULD IMPLEMENT the ability to filter traffic based on a
comparison of the source address of a packet and the forwarding table
for a logical interface on which the packet was received.  If this
filtering is enabled, the router MUST silently discard a packet if
the interface on which the packet was received is not the interface
on which a packet would be forwarded to reach the address contained
in the source address.  In simpler terms, if a router wouldn't route
a packet containing this address through a particular interface, it
shouldn't believe the address if it appears as a source address in a
packet read from this interface."




/Per Jessen, Zürich


<Prev in Thread] Current Thread [Next in Thread>