Thanks for your reply!
Okay for the -SH scheduler, but we have a script that dynamically change
the weight of the servers (because the are very different -hardware
speaking there-) and i think it wouldn't solve the problem (you'll see why).
It was very simple to test, a openned the LDAP port on a webserver with
a perl script (a server that just write "hello"), and then connected to
this port with a telnet client just after connecting to the web service
with my browser.
Result: i'm connected to the webserver (via the LDAP mark...).
In fact, i looked into the code, and i think that LVS can't handle
multiple fwmark + persistence services (maybe we found a bug?).
If you look in ip_vs.h (in the headers):
static inline void ip_vs_addr_copy(int af, union nf_inet_addr *dst,
const union nf_inet_addr *src)
if (af == AF_INET6)
dst->ip = src->ip;
static inline int ip_vs_addr_equal(int af, const union nf_inet_addr *a,
const union nf_inet_addr *b)
if (af == AF_INET6)
return ipv6_addr_equal(&a->in6, &b->in6);
return a->ip == b->ip;
These functions are used the check if a template already exist.
In the fwmarked template, ->ip is always 0.0.0.0 and the ->all (where
the fwmark is written) isn't tested (and not copied as you can see!).
So, the first template created by a "fwmark persistent service" will
match every fwmark persistent service (ip = 0.0.0.0, it's the same for
Correct me if i'm wrong?
If it's a bug, I hope a Dev' could fix this..
Joseph Mack NA3T a écrit :
> On Thu, 23 Apr 2009, Fabien Duch�ne wrote:
>> We are trying to setup a LVS load balancer for multiple services (HTTP,
>> HTTPS, LDAP, ...).
>> All these services are distributed over several servers, and they all
>> need persistence.
> you could try the -SH scheduler as an alternative (not a whole lot
>> They also use multiple ports, so we used fwmarks to identify the service.
>> When you connect for the first time, you are sticked to a real server of
>> the service you're accessing (HTTP for eg).
>> The problem is that, after that, if you try to access another virtual
>> service (LDAP for instance), you get a ICMP port unreacheable, because
>> you're still sticked on the HTTP Real Server.
> do you know why you get a port unreachable? I wouldn't have expected
> that. Is the realserver listening on that port? Is the connect request
> making it to the realserver?
> Please read the documentation before posting - it's available at:
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Please read the documentation before posting - it's available at:
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users