Re: [lvs-users] Connecting directly to realservers in a one-network LVS-

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Connecting directly to realservers in a one-network LVS-NAT
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Mon, 26 Nov 2007 13:27:45 -0800 (PST)
On Mon, 26 Nov 2007, Ben Hollingsworth wrote:

> I don't think this is a one-network NAT, as those subnets don't
> overlap.

I did have a quick look for this, but missed it. thanks

> However, I did setup a one-network LVS-NAT just last week 
> that works fine.  Our private network is a subset of our 
> public network, with the real servers using the gateway 
> VIP on the directors.  The directors know nothing of SSH, 
> yet if a client tries to SSH directly to the private IP of 
> the real server, it succeeds, even though the packets take 
> a circuitous return trip through the directors.

hmm. so with redirects etc off and the ipvsadm table still 
setup for one-network NAT (and no iptables or conntrack), 
then a packet RIP->CIP sent to default gw=VIP on the 
director, is not NAT'ed on the director, by the rules setup 
by ipvsadm, which would make the packet come out with 
src_addr=VIP and hence be refused by the client?

I'm trying to figure out what the director would think it's 
supposed to do with such a packet; forward it or NAT it? I 
guess it depends on who gets first dibs on the packet, the 
forwarding rules or the NAT rules. This must be easy enough 
to look up.

I wouldn't have said in the HOWTO that you couldn't connect 
directly CIP-RIP without having tested it. Maybe I flubbed 
the test. Maybe the behaviour is different using the 
netfilter framework for LVS, rather than the masquerading 
code back in the 2.0.x days when I ran the test.


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>