On Thu, Dec 14, 2006 at 03:13:44PM -0600, David M wrote:
> I would like some feed back on our current LVS-NAT configuration.
> Basically, we are using IPTABLES to make sure that certain RIPs are
> associated with certain VIPs for outbound traffic.
>
> Our requirement is that we have to route certain RIP traffic out the same
> VIP--we have to have multiple VIPs. This is especially necessary when using
> sendmail as an MTA. Certain Sendmail RIPs must send out packets on a
> specific VIP. LVS-NAT does not seem to control RIP to VIP packets. So, we
> are using IPTABLES to associate a certain RIP with a certain VIP. Below is
> a sample:
> $IPT -t nat -A POSTROUTING -s $RIP_M1_01 -o $EXT_INTER -j SNAT --to-source
> $VIP_M_01
> $IPT -t nat -A POSTROUTING -s $RIP_M2_01 -o $EXT_INTER -j SNAT --to-source
> $VIP_M_01
> $IPT -t nat -A POSTROUTING -s $RIP_M3_01 -o $EXT_INTER -j SNAT --to-source
> $VIP_M_01
> $IPT -t nat -A POSTROUTING -s $RIP_M1_02 -o $EXT_INTER -j SNAT --to-source
> $VIP_M_02
> $IPT -t nat -A POSTROUTING -s $RIP_M2_02 -o $EXT_INTER -j SNAT --to-source
> $VIP_M_02
> $IPT -t nat -A POSTROUTING -s $RIP_M3_02 -o $EXT_INTER -j SNAT --to-source
> $VIP_M_02
>
> So, for example, we are using three systems (M1, M2 and M3), and we are
> associating certain RIPs with certain VIPs, as in this visual
> representation.
> $RIP_M1_01 --> $VIP_M_01
> $RIP_M2_01 --> $VIP_M_01
> $RIP_M3_01 --> $VIP_M_01
> $RIP_M1_02 --> $VIP_M_02
> $RIP_M2_02 --> $VIP_M_02
> $RIP_M3_02 --> $VIP_M_02
> $RIP_M1_03 --> $VIP_M_03
> $RIP_M2_03 --> $VIP_M_03
> $RIP_M3_03 --> $VIP_M_03
>
> Is using IPTABLES for this a good solution for this? Or is there a kernel
> patch that will always associate the RIPs with the VIPs (in the ipvsadm
> setup)? ipvsadm will do the VIPs to RIPs, but ipvsadm does not seem to do
> RIP to VIP.
What you have above seems senible to me.
As far as the kernel is concerned there is no relation between incoming
connections for the VIP, and outgoing connections from RIPs of a virtual
service. I'm not aware of any patches that change this, nor do I really
think they are neccessary - assuming your solution works..
> Does the LVS-NAT source routing patch (Brownfield, Sawari and Black) solve
> the RIP to VIP association problem?
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#brownfield
I don't think that change is related.
N.B: That change was included in 2.6.19.
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
|