[lvs-users] coloring LVS-NAT connections internally using TOS/DSCP - rel

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] coloring LVS-NAT connections internally using TOS/DSCP - reliable?
From: Patrick Schaaf <netdev@xxxxxx>
Date: Thu, 07 Nov 2013 15:17:52 +0100
Dear LVS users / gurus,

I came across an idea today, which even appears to work, that could 
potentially reduce the number of ipvs realserver entries in an LVS-NAT 
scenario where multiple ports need to be passed through to the 

Right now I have a separate (fwmark) virtualserver for port 80, and 
several SSL ports that need different certificates on the realservers. The 
usual mangle/PREROUTING marking selects which one to use.

Now the idea is to reduce the LVS setup itself to the port 80 server entry, 
always select the same fwmark for that, but use rules in 
mangle/PREROUTING like -j TOS --set-tos 0x04/0xfc, with different TOS 

All SSL connections then arrive at the realservers with dport 80, but 
there I have nat/PREROUTING rules matching the TOS values, using -j 
REDIRECT --to-port 44X to internally let the connection flow to the right 
SSL port.

This appears to work quite nicely in a prototype setup.

My question would be: we run this on kernel 2.6.32 right now. That's a 
little bit ancient, and will eventually be upgraded. Was there anything 
changed in LVS kernel code since then that would make this TOS/DSCP 
marking scheme fail?

best regards
Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>