Dear LVS users / gurus,
I came across an idea today, which even appears to work, that could
potentially reduce the number of ipvs realserver entries in an LVS-NAT
scenario where multiple ports need to be passed through to the
realservers.
Right now I have a separate (fwmark) virtualserver for port 80, and
several SSL ports that need different certificates on the realservers. The
usual mangle/PREROUTING marking selects which one to use.
Now the idea is to reduce the LVS setup itself to the port 80 server entry,
always select the same fwmark for that, but use rules in
mangle/PREROUTING like -j TOS --set-tos 0x04/0xfc, with different TOS
values.
All SSL connections then arrive at the realservers with dport 80, but
there I have nat/PREROUTING rules matching the TOS values, using -j
REDIRECT --to-port 44X to internally let the connection flow to the right
SSL port.
This appears to work quite nicely in a prototype setup.
My question would be: we run this on kernel 2.6.32 right now. That's a
little bit ancient, and will eventually be upgraded. Was there anything
changed in LVS kernel code since then that would make this TOS/DSCP
marking scheme fail?
best regards
Patrick
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|