LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Director not sending icmp unreachable to expired clients

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Director not sending icmp unreachable to expired clients
Cc: ja@xxxxxx
From: Janusz Krzysztofik <jkrzyszt@xxxxxxxxxxxx>
Date: Wed, 24 Jan 2007 15:07:12 +0100
Janusz Krzysztofik napisał(a):
... Now I am going to try some logic used by
netfilter tcp_reset to originate the icmp packet from VIP.
I will let you know if this helps.

After investigating several possibilities, I have finaly applied a small patch to ip_route_output_slow() that allows VIP-less director to generate packets originating from VIP if sysctl_ip_nonlocal_bind is set (attached, for those who may be interested, comments are welcome). However, as there is no logic inside ip_vs_in() for responding with icmp errors to at least the first packet after a connection has expired (I still do not know if this is intentional or not), to get it working as expected I have to set up my iptables marking in such a way that packets for expired connections are passed through ip_vs_in() untouched and icmp errors are now returned by udp_rcv() in my case, I guess. Furthermore, I have also tired with ip_vs_in() moved before input filter hook (I can still filter ipvs related packets on output, what do you think?) and iptables input filter rules rejecting ipvs related packets that have passed through ip_vs_in() - works as well.

Unfortunately, all these do not help my ipsec clients. Icmp port unreachable messages do not provoke them to invalidate current ipsec connections and start rekeying. But this is a different problem, of course.

Joe, Julian, thanks again for your hints.

Cheers,
Janusz

P.S. I can provide more info on my setup if it can be interesting for anyone.

<Prev in Thread] Current Thread [Next in Thread>