Looking at the documentation for ipvsadm it seems that in order to run ipvsadm
on a director that is also running a nat-firewall you have to patch the
kernel with the ipvs_nfct patch.
Can someone please confirm that that this is correct?
I ask because I have spent a frustrting 8 hours attempting to get such a setup
to work and failed dismally. Unfortunately, patching the kernel is not an
option in this case (nor in many production firewall cases I might add - any
ETA when these patches may make it into the mainstream ipvsadm code?), so I
will probably have to switch to some other load balancer eg balance, but I
really don't want to.
Internet <-> LVS/Firewall/VIP/Router <-> RIP (6 machines)
The Router machine masquerades the RIP machines (real webservers) which are on
a private network and only connect to the outside world through the Router.
It has all the firewall rules and is the one on which I want to run ipvsadm.
Packets get to RIP machines from Internet via Router, but get blocked on their
way back. In the firewall log on Router I see these lines (router001 is the
Router machine running Suse 11.0, bond0 is the internal interface to the real
webservers (2 bonded nics), eth2 is the VIP interface):
Apr 8 18:21:32 router001 kernel: SFW2-FWDint-DROP-DEFLT-INV IN=bond0 OUT=eth2
SRC=192.168.X.XXX DST=72.84.XX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=TCP SPT=8080 DPT=58558 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT
Note the SFW2-FWDint-DROP-DEFLT-INV means the packet is being dropped because
it is invalid, which got me thinking it was probably something to do with
these connection tracking issues.
Any suggestions for a workaround would be greatly appreciated. Connecting the
RIPs directly to the internet and using Direct Routing is not an option.
Putting the firewall on another box is also not an option.
Please read the documentation before posting - it's available at:
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users