|
Hello,
On Mon, 9 Jan 2012, Dmitry Akindinov wrote:
> > For IPVS tcp_conn_schedule schedules TCP packets only
> > when SYN is present, no matter the ACK flag. Can you check with
> > IPVS debugging what exactly happens? May be the problem is netfilter
> > stateful inspection where the synack combination results in
> > sIV (invalid) packet state.
>
> Let me describe the situation again. One of the servers in the farm,
> server X, as a unique port range (16000-16999, for example), assigned to it.
> That server starts an outgoing TCP connection using the VIP address as the
> source, for that VIP address is configured locally as an IP alias of the
> loopback interface.
>
> This means that the initial packet - i.e. the SYN packet goes from the server
> X to the remote target directly, bypassing an IPVS system. The IPVS system
> will never see a SYN packet for an OUTGOING connection initiated by one of the
> servers in the farm.
>
> The response packets for such a connection would go to the VIP address, and
> thus to the IPVS system. What we need to do there is to detect these packets
> (pretty easy to do with iptables: all packets to a VIP, to any port in the
> 16000-16999 range), and then forward these packets w/o any modification to the
> server X MAC.
>
> Our understanding is that the IPVS balancer can operate only in the stateful
> mode, and that the state table is modified (a "session is built") only when a
> SYN packet is processed (we do not know this, it's just our understanding, but
> it looks like you are confirming it, right?).
>
> In our case no SYN packet for an OUTGOING connection would ever be seen
> by an IPVS system, so it does not build a session, so IPVS cannot be used for
> "outoging respose balancing/dispatching".
I think, you described the setup in previous email.
IPVS supports creating new TCP connection for SYN+ACK packet.
While Netfilter's stateful inspection differentiates SYN
from SYN+ACK packets, IPVS treats them as SYN packet. See
net/netfilter/ipvs/ip_vs_proto_tcp.c (tcp_state_idx) and
net/netfilter/nf_conntrack_proto_tcp.c (get_conntrack_index)
for reference. This is the way IPVS to support active FTP for
DR/TUN mode where the real server initiates DATA connection
to client and IPVS detects it by the SYN+ACK packet from
client. So, I think IPVS should support scheduling by SYN+ACK.
> Our question, thus, is - is it possible to configure IPVS to do stateless
> load-balancing, given that there is only one real server to "balance" to?
No but it does not matter how many real servers are used.
> If not, then the question is - are there any plans to add stateless
> load-balancing to IPVS?
No, it is possible to implement but nobody needs it.
> > > > Another option is to use ip rules with fwmark
> > > > matching to forward the traffic. New kernels support the
> > > > option to override the priority 0 for table local.
> > >
> > > How that can be configured?
> >
> > # Reduce priority for traffic to local routes
> > ip rule add pref 10 lookup local
> > ip rule del pref 0
>
> We cannot make it work on the CentOS 6.0 system (2.6.32-71.el6.x86_64 kernel).
> What are the kernels that have the ability to remove the rule #0?
I see, may be it comes with 2.6.33
> Also, these rules need to be modified when, for example, a new server
> is added to the farm. It may cause disruption to already established
> connections if the rules have to be removed and then added one-by-one.
Adding/removing iptables rule or replacing route in
tables is not a big problem, of course, you should not recreate
all rules.
> Managing all these things via IPVS would be a much cleaner way.
Agreed
> > # Add higher priority rules, all with same pref 1
> > # Forward traffic for VIP:range to RIPs:
> > ip rule add pref 1 from 0/0 iif<EXTIF> fwmark 1 lookup 1
> > ip route add default via RIP1 dev<RIP_IF> src<DIP> table 1
> > ip rule add pref 1 from 0/0 iif<EXTIF> fwmark 2 lookup 2
> > ip route add default via RIP2 dev<RIP_IF> src<DIP> table 2
> > ...
> > ip rule add pref 1 from 0/0 iif<EXTIF> fwmark 10 lookup 10
> > ip route add default via RIP10 dev<RIP_IF> src<DIP> table 10
> >
> > But the problem with stateful inspection is here too.
>
> Why? AFAIU, ip rules are completely stateless and they do not care
> what packet to forward, am I wrong?
If Netfilter's conntracking is loaded and running
you will have the problem with the stateful inspection
marking the packets as INVALID, Netfilter does not support
one-way connections as IPVS DR/TUN. May be you will have to
run IPVS without Netfilter conntracking.
Regards
--
Julian Anastasov <ja@xxxxxx>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
