On Wednesday 09 April 2008 23:27:24 Joseph Mack NA3T wrote:
> On Wed, 9 Apr 2008, Jason Stubbs wrote:
> > The best I can come up with is to apply the patch from below and then run
> > squid on the director. Is there a better way that I'm not seeing?
>
> this is as good as it gets. LVS wasn't designed to do this.
> It would be nice to have, but we don't have it.
Moving ip_vs_in to the end of POSTROUTING and moving ip_vs_out to the start of
PREROUTING as in the attached patch seems to work and lets me do what I want.
LVS-NAT and SNAT are working both independently and in conjunction to allow
connections to VIPs from anywhere.
I haven't tested LVS-DR, LVS-TUN or localnode (although I think localnode
should still work) and am not so worried if they don't work. Are there any
other issues likely to arise with this patch? Is there any reason why LVS
didn't hook into (or near) those places in the first place?
I understand that it'll likely never be accepted because it'd break pretty
much every existing installation (VIP on an interface would not make it to
IPVS)... I'm just wondering if there's any gotchas I might not be seeing
before I decided to put it into production.
--
Jason Stubbs <j.stubbs@xxxxxxxxxxxxxxx>
LINKTHINK INC.
東京都渋谷区桜ヶ丘町22-14 N.E.S S棟 3F
TEL 03-5728-4772 FAX 03-5728-4773
--- linux-2.6.24-gentoo-r4/net/ipv4/ipvs/ip_vs_core.c 2008-01-25
07:58:37.000000000 +0900
+++ linux-2.6.24-gentoo-r4-jason/net/ipv4/ipvs/ip_vs_core.c 2008-04-10
16:44:44.000000000 +0900
@@ -480,25 +480,6 @@
}
-/*
- * It is hooked before NF_IP_PRI_NAT_SRC at the NF_IP_POST_ROUTING
- * chain, and is used for VS/NAT.
- * It detects packets for VS/NAT connections and sends the packets
- * immediately. This can avoid that iptable_nat mangles the packets
- * for VS/NAT.
- */
-static unsigned int ip_vs_post_routing(unsigned int hooknum,
- struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- int (*okfn)(struct sk_buff *))
-{
- if (!skb->ipvs_property)
- return NF_ACCEPT;
- /* The packet was sent from IPVS, exit this chain */
- return NF_STOP;
-}
-
__sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
{
return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
@@ -905,19 +886,6 @@
int ret, restart;
int ihl;
- /*
- * Big tappo: only PACKET_HOST (neither loopback nor mcasts)
- * ... don't know why 1st test DOES NOT include 2nd (?)
- */
- if (unlikely(skb->pkt_type != PACKET_HOST
- || skb->dev->flags & IFF_LOOPBACK || skb->sk)) {
- IP_VS_DBG(12, "packet type=%d proto=%d daddr=%d.%d.%d.%d
ignored\n",
- skb->pkt_type,
- ip_hdr(skb)->protocol,
- NIPQUAD(ip_hdr(skb)->daddr));
- return NF_ACCEPT;
- }
-
iph = ip_hdr(skb);
if (unlikely(iph->protocol == IPPROTO_ICMP)) {
int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
@@ -1032,8 +1000,8 @@
.hook = ip_vs_in,
.owner = THIS_MODULE,
.pf = PF_INET,
- .hooknum = NF_IP_LOCAL_IN,
- .priority = 100,
+ .hooknum = NF_IP_POST_ROUTING,
+ .priority = NF_IP_PRI_LAST,
};
/* After packet filtering, change source only for VS/NAT */
@@ -1041,8 +1009,8 @@
.hook = ip_vs_out,
.owner = THIS_MODULE,
.pf = PF_INET,
- .hooknum = NF_IP_FORWARD,
- .priority = 100,
+ .hooknum = NF_IP_PRE_ROUTING,
+ .priority = NF_IP_PRI_FIRST,
};
/* After packet filtering (but before ip_vs_out_icmp), catch icmp
@@ -1051,17 +1019,8 @@
.hook = ip_vs_forward_icmp,
.owner = THIS_MODULE,
.pf = PF_INET,
- .hooknum = NF_IP_FORWARD,
- .priority = 99,
-};
-
-/* Before the netfilter connection tracking, exit from POST_ROUTING */
-static struct nf_hook_ops ip_vs_post_routing_ops = {
- .hook = ip_vs_post_routing,
- .owner = THIS_MODULE,
- .pf = PF_INET,
- .hooknum = NF_IP_POST_ROUTING,
- .priority = NF_IP_PRI_NAT_SRC-1,
+ .hooknum = NF_IP_PRE_ROUTING,
+ .priority = NF_IP_PRI_FIRST,
};
@@ -1103,22 +1062,16 @@
IP_VS_ERR("can't register out hook.\n");
goto cleanup_inops;
}
- ret = nf_register_hook(&ip_vs_post_routing_ops);
- if (ret < 0) {
- IP_VS_ERR("can't register post_routing hook.\n");
- goto cleanup_outops;
- }
+
ret = nf_register_hook(&ip_vs_forward_icmp_ops);
if (ret < 0) {
IP_VS_ERR("can't register forward_icmp hook.\n");
- goto cleanup_postroutingops;
+ goto cleanup_outops;
}
IP_VS_INFO("ipvs loaded.\n");
return ret;
- cleanup_postroutingops:
- nf_unregister_hook(&ip_vs_post_routing_ops);
cleanup_outops:
nf_unregister_hook(&ip_vs_out_ops);
cleanup_inops:
@@ -1137,7 +1090,6 @@
static void __exit ip_vs_cleanup(void)
{
nf_unregister_hook(&ip_vs_forward_icmp_ops);
- nf_unregister_hook(&ip_vs_post_routing_ops);
nf_unregister_hook(&ip_vs_out_ops);
nf_unregister_hook(&ip_vs_in_ops);
ip_vs_conn_cleanup();
|