|
Joseph, thanks for the reply.
>> My question is: Is the conntrack information set
>> again on packets that come back from the real
>> servers to be routed by the director?
> the fwmark only exists in the sk_buff. Once the
> packet leaves
> the box, it is no longer fwmark'ed, ie the returning
> packets are not marked.
I see.
I read a solution that involves conntrack and people say
it works when you do a simple DNAT.
It is:
Mark packets when they enter the director depending
on the destination IP address:
# iptables -t mangle -A PREROUTING -m conntrack \
--ctorigdst $IP1 -j MARK --set-mark=1
# iptables -t mangle -A PREROUTING -m conntrack \
--ctorigdst $IP2 -j MARK --set-mark=2
And route them when they come back depending on that mark:
# ip rule add fwmark 1 table T1
# ip rule add fwmark 2 table T2
I thought it would also work with LVS... but I tried and
it didn't.
I guess I should try the ipvs-nfct patch.
I wonder whether having LVS with 2 uplink providers
is a common setup.
Regards,
Nelson.-
--
Homepage : http://geocities.com/arhuaco
The first principle is that you must not fool yourself
and you are the easiest person to fool.
-- Richard Feynman.
|
