LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Director not sending icmp unreachable to expired clients

To: Joseph Mack NA3T <jmack@xxxxxxxx>
Subject: Re: Director not sending icmp unreachable to expired clients
Cc: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Cc: Horms <horms@xxxxxxxxxxxx>
Cc: Janusz Krzysztofik <jkrzyszt@xxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Sat, 20 Jan 2007 13:20:28 +0200 (EET)
        Hello,

> On Fri, 19 Jan 2007, Janusz Krzysztofik wrote:
> 
> > I am using LVS director with no VIP for load balancing ipsec servers 
> > accessed 
> > by NATed clients (udp 500/4500, fwmark method). When I remove a relaserver 
> > (ipvsadm -d ...), its clients are not notified after their connections 
> > expire.
> > I suspect that icmp responses are simply not generated on the 
> > director as they sholud be -
> 
> possibly. The icmp code was written before anyone thought of 
> VIP-less directors.

        Yes, icmp_send() has code that feeds ip_route_output*() with
non-local source address (the VIP that is not configured as IP
address in director). The ICMP reply logic is implemented in a way
that ensures the ICMP packet will use local IP address, for example,
when IP router wants to send reply for packet destined to next
hop (looks like our case).

        The networking maintainers still wait for someone to go and
split all callers of ip_route_output*() to such that require local
source address and others that don't require. The goal is to move
the check for local source address out of ip_route_output to allow
code such as NAT or IPVS to get output route with non-local source
address (may be there are other such uses). Every place should be
audited and check for local IP should be added only if needed.

        The ICMP reply code is a such place that needs to send ICMP
replies with local address, the receiver should see who generates
the error.

        So, for the problem in original posting: the IPVS users
that need to send ICMP replies for VIPs should configure the VIPs
in director. I'm not sure there will be another solution. If one
day ip_route_output does not validate the source address may be
icmp_send can rely only on this check as before:

        saddr = iph->daddr;
        if (!(rt->rt_flags & RTCF_LOCAL))
                saddr = 0;

        Then director will send ICMP replies from VIPs by using the
local-delivery method to accept traffic for VIP.

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread] Current Thread [Next in Thread>