|
Hello and thanks to the both of you for your replies,
In getting closer to a solution:
Exactly as I was before. Then I reread all Julian's writings on this matter
and understood that saying SNAT he meant changing RIP source address back
to VIP on packets traversing LVS-NAT director back to clients (OUT
direction).
I understand that Julian's patch will not help me, but in trying to put an
end to my confusion:
Doesn't the LVS-NAT automatically change the RIP source address back to the
VIP address as it traverses the director by default (without the NFCT
patch)?
Yes, exactly, and not only SNAT, but full conntrack as well. But please
remember, this is my own solution, not supported by LVS people in any way,
and not yet commented by them, so it may stop working for future versions
of IPVS.
This patch didn't look very big so I manually made the inclusions to the
ip_vs_core.c file, which compiled and to the ip_vs_xmit.c, which didn't
compile, on a centos 2.6.9 based kernel. Not suprisingly it didn't work. I
tryed to patch both a 2.6.17 and 2.6.19 fedora 5 based kernel and the patch
failed on both during the patch of the ip_vs_xmit.c phase:
in ip_vs_xmit.c.rej:
----------------Start----------------
***************
*** 127,133 ****
#define IP_VS_XMIT(skb, rt) \
do { \
- (skb)->ipvs_property = 1; \
(skb)->ip_summed = CHECKSUM_NONE; \
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \
(rt)->u.dst.dev, dst_output); \
--- 127,132 ----
#define IP_VS_XMIT(skb, rt) \
do { \
(skb)->ip_summed = CHECKSUM_NONE; \
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \
(rt)->u.dst.dev, dst_output); \
------------End-------------------
So I manually made the changes to both files on a 2.6.19 fedora 5 based
kernel and comiled without errors, but it doesn't seem to be working. So my
questions regarding the "Janusz" patch are:
What are the chances of getting a back port of this patch to a 2.6.9 based
kernel? This would help both Redhat 4 and CentOS 4 users. (Sorry, I had to
ask).
Do you think this patch will work on a 2.6.19 kernel or a fedora 2.6.17
kernel ? If not can you provide a link to the latest kernel version that
this patch is know to work with?
Thanks for all you help.
~Rod
From: Janusz Krzysztofik <jkrzyszt@xxxxxxxxxxxx>
To: "LinuxVirtualServer.org users mailing list."
<lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
CC: rodrico7@xxxxxxxxxxx
Subject: Re: SNAT Confusion
Date: Fri, 16 Mar 2007 12:19:45 +0100
Rodre Ghorashi-Zadeh napisa³(a):
I am totally confused about the whole SNAT, snat_reroute, NFCT, etc. I
have downloaded Julian's NFCT patch for my kernel (centos 4.4
2.6.9-42.0.10.ELsmp), patched/built/installed the kernel, echoed 1 >
/proc/sys/net/ipv4/vs/conntrack & and snat_reroute, wrote an iptables rule
that looks like this: iptables -t nat -A POSTROUTING -p tcp -s $MYIP -d
$RIP --dport $SOMEPORT -j SNAT --to-source $DEFAULTGATE, sent the
appropriate traffic that should get caught and manipulated by the previous
rule, experienced no results ...
Exactly as I was before. Then I reread all Julian's writings on this matter
and understood that saying SNAT he meant changing RIP source address back
to VIP on packets traversing LVS-NAT director back to clients (OUT
direction).
... does the patch provided by Janusz Krzysztofik at
http://www.icnet.pl/download/ip_vs_dr-conntrack.patch allow you to at
least do an iptables style SNAT to LVS-DR type packets?
Yes, exactly, and not only SNAT, but full conntrack as well. But please
remember, this is my own solution, not supported by LVS people in any way,
and not yet commented by them, so it may stop working for future versions
of IPVS.
Julian, Joe, Horms, maybe others, could you please share your opinions on
this matter?
Thanks,
Janusz
_________________________________________________________________
Your Space. Your Friends. Your Stories. Share your world with Windows Live
Spaces. http://spaces.live.com/?mkt=en-ca
|
