Yo!
The basic premise was, that it would be helpful to have an iptables
match to identify IPVS connections without exporting them to conntrack.
It would allow to do firewalling on the LVS machine in a consistent manner.
At first I had trouble getting the conntrack entries to roughly match
the ipvs connection table entries which involved tuning netfilter timers
quite a bit.
Now, a few days ago one of our LVS servers crashed and the failover took
over as it should. However, since the LVS servers were also stateful
firewalls using Julian's nfct patches, a problem occured. The sync
daemons had synced the ipvs connection tables just fine, but even though
exporting to conntrack had been enabled, the conntrack entries didn't
appear on the failover machine. Thus, the firewall stopped all
connections (as they weren't ESTABLISHED).
Maybe it has something to do with the synced connections not being
considered "active" as described by David Black a week ago? Or maybe
it's just a side effect of sync daemon only syncing where it absolutely
needs to (to optimize the amount of traffic). Whatever the case, I did
what seems right and wrote the iptables match for IPVS connections.
It's very basic (meant for using in the FORWARD chain for outgoing
packets), but if anyone needs it, it's available at:
http://p6drad-teel.net/~windo/release/pom-ipvs_match.tar.gz
I tried to stick it into patch-o-matic format. It's been smoke-tested
and seemes to work. I'd be grateful for any comments/improvements.
Siim
|