Re: [lvs-users] 2x LVS-DR director + realserver on one machine -> packet

To: Tomasz Chmielewski <mangoo@xxxxxxxx>
Subject: Re: [lvs-users] 2x LVS-DR director + realserver on one machine -> packet storm/looping
Cc: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: David Coulson <david@xxxxxxxxxxxxxxxx>
Date: Sun, 23 Oct 2011 17:11:14 -0400
You could do something like

iptables -t mangle -A PREROUTING -p tcp --dport 80 -d -j 
MARK --set-mark 100
iptables -t mangle -A PREROUTING -m mac -mac-source xx:xx:xx:xx:xx:xx -j 
MARK --set-mark 0

Then put your ipvsadm under fwm 100. Replace the MAC in the rule with 
the MAC of the 'other' box, or you could change the first rule so it 
verifies that the source MAC is that of your firewall or something. 
Probably better to allow everything, then have it skip the stuff you 
don't want.

On 10/23/11 5:02 PM, Tomasz Chmielewski wrote:
> On 23.10.2011 22:47, David Coulson wrote:
>> What happens if you remove the ipvsadm rules on the host which does not
>> have the VIP active on eth0 on it?
> Then, no flood, works great.
> However, I'd rather have the rules set on both hosts, since it 
> normally simplifies the setup (no need to reconfigure ipvsadm rules if 
> the IP failsover etc.).
>> Sounds like both systems are running the packet through LVS and routing
>> it back and forth. I guess you could implement it with FWM and have it
>> not match packets coming from the MAC of the other director.
> Hmm, any more hints on such a rule?
>> When I've done a two-node environment with director and real on the same
>> box, I've always ran a private interconnect between them and routed
>> traffic over that.
> No such luck here!

Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>