LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Problem to have a routeur/firewall and a Load balancer(ipvs) on the

To: Roberto Nibali <ratz@xxxxxxxxxxxx>
Subject: Re: Problem to have a routeur/firewall and a Load balancer(ipvs) on the same server
Cc: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Cc: Horms <horms@xxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Thu, 16 Nov 2006 00:23:56 +0200 (EET)
        Hello,

On Wed, 15 Nov 2006, Roberto Nibali wrote:

> >>> http://www.ssi.bg/~ja/forward_shared-2.6.17-2.diff
> >>>
> >>> Please report back if that works for you or not.
> >> Effectively that work fine on a 2.6.18.
> >> Thanks.
> > 
> > Should this be merged. I'm happy to try and push it in if it should
> > be in the main tree.
> 
> Among other things not to be shared here in public, I had the exact same 
> thought in the shower this morning :). It renders life so much easier 
> for people, because the whole triangulation or asymmetric forwarding is 
> just a tad bit too unusual for most people to care enough. And setting 
> up a load balancer for a project is most of the time just a nitty-gritty 
> and highly technical part of the whole process. Who wants to spend 80% 
> of the budget for 20% of the project? At least that's what I've been 
> confronted with in projects where IPVS was in discussion, as one of the 
> technologies to be used.
> 
> Regarding the political point of view: I'm not sure if Julian wants to 
> step up again against the whole netdev-crew for yet another "special" 
> feature that no one else in the networking world needs. Although, it 
> would be Horms' call after all.
> 
> Regarding the technical point of view: That patch is very non-intrusive 
> and only adds one branch (could even be marked unlikely()) to the FIB 
> frontend and this is certainly acceptable.
> 
> Julian, do you have any technical reasons that would warrant a veto to 
> the inclusion of your forward shared patch into the main linux kernel? 
> The time would be good now to push it to DaveM for 2.6.20, I believe.

Pros:
- saves one extra patching

Cons:

- useful only for setups which share IPs

- very dangerous!!! That was the first concern by Alexey Kuznetsov.
I see people blindly use echo 1 > all/VAR_NAME without considering
what is the relation between all/VAR_NAME and DEV_NAME/VAR_NAME.
I saw this many times. forward_shared should be applied only on
trusted interfaces and setting 1 to all/ opens the door for
spoofing/loop attacks.

- it is another hack in routing. Not sure if all changes are entirely
correct.

So, my opinion is 30% (below 50%) for inclusion. May be it is a good idea 
to have one diff with all IPVS patches not included in mainline. Then the 
IPVS users will have to patch only once. Now we even don't have this 
option linked to visible place in web.

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread] Current Thread [Next in Thread>