LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [lvs-users] lvs tun and ipip fragments

from [Kelsey Cummings] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] lvs tun and ipip fragments
From: Kelsey Cummings <kgc@xxxxxxxxxxxxxx>
Date: Mon, 16 Jul 2012 12:18:17 -0700 
Julian, I haven't had time to test the patches yet but wanted to at
answer your questions.


On Mon, Jul 09, 2012 at 10:49:24AM +0300, Julian Anastasov wrote:
> > +       //clear the DF bit so the kernel will frag the packet
> > +       old_iph->frag_off = 0;
> 
>       Can you identify which of your both changes helps in
> your case. I guess the above change does not play at all,

I'm pretty sure the only reason I set 'old_iph->frag_off = 0' was to
cause the following "if" statement to evalutate as false in order to
prevent the icmp dest unreach/need frag packet from being transmitted.

> > -       iph->frag_off           =       df;
> > +       iph->frag_off           =       0;

And that's what gets the kernel to frag it once the skb is sent.

>       Can you clarify details for your setup, do you
> have lower MTU in the path to your real server?

No, everything is 1500 ethernet in our current use case.  This goal is
to have a lvs-tun config which allows a flexible network design without
having to rely on selective MSS fixup on the RIPs or that the ICMP frag
needed packets will actually reach the client. 

Let me see what I can do about testing your patches, although I a global
sysctl variable to is probably the easiest solution.

>       As a next step may be we can add global sysctl var
> to force Disable for IPVS-TUN PMTUD (your second change),
> it will take effect for all real servers. It will be
> needed if problem is caused by ICMP filtering in
> leg 1 (above case 1). Not sure if there is some netfilter
> mangling feature that can clear the outer DF for our
> IPIP packets in OUTPUT hook.

I wasn't able to find any, as this was another possible solution to the
problem and could be generally useful in other circumstances as well. 
Cisco supports this in combination with ipsec tunnels to allow the
router to frag the packet regardless of the original DF bit setting.

-- 
Kelsey Cummings - kgc@xxxxxxxxxxxxxx      sonic.net, inc.
System Architect                          2260 Apollo Way
707.522.1000                              Santa Rosa, CA 95407

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [lvs-users] LVS issues over VLAN., Cox, Christopher
Next by Date:  Re: [lvs-users] Any patch or version available with the option to list the clients redirected by the LVS, Simon Horman
Previous by Thread:  Re: [lvs-users] lvs tun and ipip fragments, Julian Anastasov
Next by Thread:  [lvs-users] [ANNOUNCE] Keepalived 1.2.3, Alexandre Cassen
Indexes:  [Date] [Thread] [Top] [All Lists]