Joe, Julian,
Thanks for your answers.
Joseph Mack NA3T wrote:
... clients are not notified after their connections expire.
hmm, expire == timeout?
Neither after timeout nor immediately when expire_nodest_conn is set.
does the client get a new realserver?
Yes, unless it happened that subsequent packets were no longer correctly
marked with iptables, but that was my non-stadard use, of course.
Why does the client need to know that the old realserver is no longer there?
New realserver just drops packets from affected clients until they do
rekey (every 8 hours by default).
... I could not find any piece of code in the IPVS sources (linux 2.6.18)
that would generate such error responses....
Well there used to be icmp error handling code there.
I can find only two places where icmp_send() is used for the purpose of
generating port unreachable message:
- inside ip_vs_leave(), used in an overload case,
- inside ip_vs_out(), serving opposite direction.
Julian Anastasov wrote:
So, for the problem in original posting: the IPVS users
that need to send ICMP replies for VIPs should configure the VIPs
in director. I'm not sure there will be another solution.
I managed to send icmp port unreachable originating from DIP using self
patched icmp_send() that checks for sysctl_ip_nonlocal_bind, but that
did not help my clients. Now I am going to try some logic used by
netfilter tcp_reset to originate the icmp packet from VIP.
I will let you know if this helps.
Cheers,
Janusz
|