|
Janusz Krzysztofik napisał(a):
... Now I am going to try some logic used by
netfilter tcp_reset to originate the icmp packet from VIP.
I will let you know if this helps.
After investigating several possibilities, I have finaly applied a small
patch to ip_route_output_slow() that allows VIP-less director to
generate packets originating from VIP if sysctl_ip_nonlocal_bind is set
(attached, for those who may be interested, comments are welcome).
However, as there is no logic inside ip_vs_in() for responding with icmp
errors to at least the first packet after a connection has expired (I
still do not know if this is intentional or not), to get it working as
expected I have to set up my iptables marking in such a way that packets
for expired connections are passed through ip_vs_in() untouched and icmp
errors are now returned by udp_rcv() in my case, I guess.
Furthermore, I have also tired with ip_vs_in() moved before input filter
hook (I can still filter ipvs related packets on output, what do you
think?) and iptables input filter rules rejecting ipvs related packets
that have passed through ip_vs_in() - works as well.
Unfortunately, all these do not help my ipsec clients. Icmp port
unreachable messages do not provoke them to invalidate current ipsec
connections and start rekeying. But this is a different problem, of course.
Joe, Julian, thanks again for your hints.
Cheers,
Janusz
P.S. I can provide more info on my setup if it can be interesting for
anyone.
|
