|
On Wed, 10 Sep 2008, Brian Ghidinelli wrote:
> I'm trying to fix the problem of return packets from my
> real servers being killed as INVALID when combining
> iptables + lvs (in my case, keepalived).
I assume your doing stateful filtering. This isn't
compatible with LVS; for LVS-DR because the return packets
don't go through the director, for LVS-NAT because LVS-NAT
reroutes packets so netfilter doesn't see them.
The simple suggestion then is to turn off stateful
filtering.
The more complicated suggestion is to apply Siim Pedr's
patch for LVS-NAT stateful filtering (look in the archives,
it was about 2 months ago). Siim's patches will be in some
future release of ip_vs(), but this won't help you now.
Siim's patches tell netfilter to ignore packets controlled
by LVS, which puts you back into the simple solution above,
but it does handle the situation where people just have to
have stateful filtering. There isn't a solution for LVS-DR,
although Siim's code should be able to be extended to cover
LVS-DR, if anyone wants to sit down and do it.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
