|
On Mon, 26 Nov 2007, Ben Hollingsworth wrote:
> I don't think this is a one-network NAT, as those subnets don't
> overlap.
I did have a quick look for this, but missed it. thanks
> However, I did setup a one-network LVS-NAT just last week
> that works fine. Our private network is a subset of our
> public network, with the real servers using the gateway
> VIP on the directors. The directors know nothing of SSH,
> yet if a client tries to SSH directly to the private IP of
> the real server, it succeeds, even though the packets take
> a circuitous return trip through the directors.
hmm. so with redirects etc off and the ipvsadm table still
setup for one-network NAT (and no iptables or conntrack),
then a packet RIP->CIP sent to default gw=VIP on the
director, is not NAT'ed on the director, by the rules setup
by ipvsadm, which would make the packet come out with
src_addr=VIP and hence be refused by the client?
I'm trying to figure out what the director would think it's
supposed to do with such a packet; forward it or NAT it? I
guess it depends on who gets first dibs on the packet, the
forwarding rules or the NAT rules. This must be easy enough
to look up.
I wouldn't have said in the HOWTO that you couldn't connect
directly CIP-RIP without having tested it. Maybe I flubbed
the test. Maybe the behaviour is different using the
netfilter framework for LVS, rather than the masquerading
code back in the 2.0.x days when I ran the test.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
