Hi
On Tue, 2013-02-05 at 20:45 +0400, Dmitry Akindinov wrote:
> We have met a quite troublesome situation which causes an internal SYN
> storm.
I documented this some time ago on this list, but will offer the
solution that I came up with at the time - which coincidentally I gave
to you as a possible solution to a separate problem you were having last
year :)
As you say, in a system where there is a multi-director setup (with or
without connection table synchronisation) it is possible for a packet to
hit one director and then "ping-pong" between two (or more) directors
causing a network storm.
My solution to this was to use the iptables MARK module to apply an
fwmark value to incoming traffic on the directors which is NOT from the
MAC address of the other director(s) in the system, and then setup the
LVS using the ipvsadm -f parameter to match those packets.
This way the incoming packets from the upstream router are marked, but
those being sent from the other director are not. In turn, those from
the upstream router are then handled using LVS; those from the other
director are not.
It may not be terribly elegant, and it may not scale easily across more
than three directors - but it does work.
http://archive.linuxvirtualserver.org/html/lvs-users/2012-08/msg00014.html
Graeme
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|