|
Ok, I just found this document:
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html
I think I understand the problem more clearly now.
The PREROUTING table comes before the LVS hooks in the LOCAL_IN table so I
cannot determine at PREROUTING time that packets are going to go to the
localnode or not.
So at this time, I guess I have two possible courses of action? Try and find a
way for local_node to work without a REDIRECT rule in the PREROUTING table.
Perhaps LVS can do the REDIRECT?
Or is it possible for LVS to "undo" whatever munging is happening in the
PREROUTING table? I don't even understand while a REDIRECT rule in the
PREROUTING table is breaking LVS.
I guess I'll research some more, if anybody has a workaround for using
localnode with transparent proxy please let me know.
David
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx on behalf of David Hinkle
Sent: Mon 12/10/2007 10:06 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] Transparent proxy with Locanode
Hey everybody. I'm using the ip policy hack to get transparent proxy going
like this:
ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100
That redirects packets that I've marked with fwmark 1 into the "local" machine
so that lvs will see them.
This is all working, I can distribute incomming connections to realservers,
however, I run into problems when I try to use the localnode feature.
If I have
/sbin/iptables -t nat -A PREROUTING -p tcp -s 10.0.0.1/8 --dport 80 -j REDIRECT
--to-port 8080
in my PREROUTING table so that the local machine can intercept, connections
routed to the local node work and connections routed to the other peers fail,
if I delete the rule connections to the local node fail and connections to the
remote hosts work.
Any ideas? Can I tell the connections apart in iptables so that I can create a
rule to skip the redirect for packets leaving for other realservers? Can I get
lvs to bypass PREROUTING for packets going out?
David
|
