|
On Wed, Sep 16, 2009 at 02:43:53PM +0100, Malcolm Turnbull wrote:
> Nicolas,
> With TUN or DR mode its probably best to use firewall marks to group
> all of the possible ports together:
> active 20,21
> passive 21,high_port
> # This example marks groups the active FTP ports
> VIP1="192.168.0.66"
> # First two rules are for Active connections
> iptables -t mangle -A PREROUTING -p tcp -d $VIP1 --dport 21 -j MARK
> --set-mark 1
> iptables -t mangle -A PREROUTING -p tcp -d $VIP1 --dport 20 -j MARK
> --set-mark 1
> # Third additional rule for passive
> iptables -t mangle -A PREROUTING -p tcp -d $VIP1 --dport 1024: -j
> MARK --set-mark 1
Malcolm,
Thanks for your answer. It's a good track but it's seem LVS don't care
about my marks :-)
here is my new ipvsadm conf
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP lo-pp.nerim.net:www wlc persistent 120
-> harrisburg.nerim.net:www Tunnel 1 0 0
-> sellafield.nerim.net:www Tunnel 1 0 0
FWM 1 wlc persistent 120
-> harrisburg.nerim.net:0 Tunnel 1 0 0
-> sellafield.nerim.net:0 Tunnel 1 0 0
and the iptables conf
Chain PREROUTING (policy ACCEPT 20638 packets, 3081K bytes)
pkts bytes target prot opt in out source destination
14 880 MARK tcp -- any any anywhere
lo-pp.nerim.net tcp dpt:ftp MARK xset 0x1/0xffffffff
1 64 MARK tcp -- any any anywhere
lo-pp.nerim.net tcp dpt:ftp-data MARK xset 0x1/0xffffffff
0 0 MARK tcp -- any any anywhere
lo-pp.nerim.net tcp dpts:1024:65535 MARK xset 0x1/0xffffffff
As you can see, some packets match these mark rules but they are not
load-balanced.
--
Nicolas Haller
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
