|
Hi Dmitry
Nice to see you pop up here (I was the CGP person at Loughborough Uni).
On Fri, 2012-01-06 at 11:15 +0400, Dmitry Akindinov wrote:
> Is there any way to redirect a packet without modification to a
> different server (substituting the taget MAC),
> using just the iptables module? Or is there a way to manage LVS director
> connection tables for this purpose: directing the tcp connection
> response packets to the proper real server?
As Julian suggested, probably the easiest way to do this is to use
fwmarks.
On the director, have an iptables rule (or rules) matching ports 80,443
and so on which sets a MARK value of (say) 0x1. Then have a virtual
server setup to catch traffic with mark value 0x1 to forward to the ten
realservers (using the examples from the man page for clarity and ease
of reproduction, your usage may vary with how you're managing the VS):
ipvsadm -A -f 1 -s rr
ipvsadm -a -f 1 -r [RIP1] -g
...
ipvsadm -a -f 1 -r [RIP10] -g
Also on the director, have an iptables rule using the multiport module
which matches each realserver's port range, something like this:
iptables -I INPUT -p tcp --m multiport -d VIP1 --destination-ports
16000:16999 -j MARK --set-mark 0x101
and then create a virtual service to match that to forward to the first
realserver:
ipvsadm -A -f 101 -s rr
ipvsadm -a -f 101 -r [RIP1] -g
Rinse and repeat for all server/port ranges.
As Julian also points out, be wary of this overloading the director.
I'd be very interested to know what you're scaling out with this
approach!
Regards,
Graeme
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
