[lvs-users] packet leakage with internal IP in LVS-NAT

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	[lvs-users] packet leakage with internal IP in LVS-NAT
From:	Oguz Yilmaz <oguzyilmazlist@xxxxxxxxx>
Date:	Wed, 1 Apr 2009 13:20:45 +0300

Dear lvs-users,

eth0: 10.1.111.0 subnet
eth1 172.16.10.0 subnet

For the LVS configuration paste below, I have the problem of leakage of
packets with real IPs of real server even on the external VIP interface.
In the case, connections to 10.1.111.14 load balanced into 172.16.10.42 and
172.16.10.43 in LVS-Nat mode.
Most of the packets are correctly masqueraded. However in the external
interface which is on 10.1.111.0 subnet I see some packets with
src: 172.16.10.42 dst: 10.101.1.37 (one of lost of client IPs)
It should have been nat'ed as
src: 10.1.111.14 dst: 10.101.1.37

Anybody has any idea?


Extra Information:

Linux Centos 3
Kernel 2.6.9-42
ipvsadm utils: 1.2.4-6
IP Virtual Server version 1.2.0 (size=4096)

# tcpdump -i eth0 -n net 172.16.0.0/16
tcpdump: listening on eth0
11:49:44.626034 172.16.10.42.http > 10.101.1.37.1914: F
3758377743:3758377743(0) ack 805382438 win 49640 (DF)

1 packets received by filter
0 packets dropped by kernel

# tcpdump -i eth0 -n port not 22
tcpdump: listening on eth0
11:49:51.225919 10.155.1.13.1138 > 10.1.111.14.http: . ack 1594576359 win
65535 <nop,nop,timestamp 11771 39000469> (DF)
11:49:51.232295 10.134.1.140.3678 > 10.1.111.14.http: P
402277521:402278558(1037) ack 470161753 win 65316 (DF)
11:49:51.233242 10.134.1.140.3677 > 10.1.111.14.http: P
3239431185:3239432222(1037) ack 469403328 win 64343 (DF)
11:49:51.234229 10.1.111.14.http > 10.134.1.140.3678: P 1:220(219) ack 1037
win 49640 (DF)
11:49:51.235358 10.1.111.14.http > 10.134.1.140.3677: P 1:220(219) ack 1037
win 49640 (DF)
...lots of more correct packets

# ipvsadm -L -n
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.1.111.14:80 rr persistent 180
  -> 172.16.10.43:80             Masq    1      41         149
  -> 172.16.10.42:80             Masq    1      104        18

# ipvsadm -L -n --stats
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port               Conns   InPkts  OutPkts  InBytes
OutBytes
  -> RemoteAddress:Port
TCP  10.1.111.14:80                   42595  2016238  3081282  657660K
3852M
  -> 172.16.10.43:80                35924  1019050  1524973  311682K
1819M
  -> 172.16.10.42:80                 6671   997189  1556309  345977K
2033M

# ipvsadm -L -n -c | wc -l
565

# ipvsadm -L -n --thresholds
IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port            Uthreshold Lthreshold ActiveConn InActConn
  -> RemoteAddress:Port
TCP  10.1.111.14:80 rr persistent 180
  -> 172.16.10.43:80             0          0          29         147
  -> 172.16.10.42:80             0          0          118        13
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] packet leakage with internal IP in LVS-NAT, Oguz Yilmaz <=

Previous by Date:	Re: [lvs-users] LVS and stale connections, Fabio Coatti
Next by Date:	[lvs-users] LVS logging, Anoop Bhat
Previous by Thread:	Re: [lvs-users] LVS and stale connections, Fabio Coatti
Next by Thread:	[lvs-users] LVS logging, Anoop Bhat
Indexes:	[Date] [Thread] [Top] [All Lists]