FW: Problems with LVS-DR/FWMARK and director as gateway
garver at valkyrie.net
Wed Aug 8 17:58:10 BST 2001
Thanks for the very fast response.
> > martian problem. I then read about fwmark. As I understand it, fwmark
> > promises to work around the martion problem and provide greater
> > when grouping services. So I configured LVS for fwmark and got
> stuck. A
> This is not true. fwmark can be used for two (known) purposes:
> - as a routing key (if you use it in your ip rules)
> - as a higher-layer key (if you use it in your ipvs rules, for example)
> You can't avoid the source spoofing checks by using fwmarks
> or at least I don't know for such trick.
I got the idea that I could do this from the HOWTO, in fact it explicitly
says the following:
"9.9 fwmark allows LVS-DR director to be default gw for realservers
--> If a LVS-DR director is accepting packets by fwmarks, then it does not
have a VIP. <-- The director can then be the default gw for the realservers
(see LVS-DR director is default gw for realservers)."
I don't want to whine about the HOWTO. In fact, I found the
HOWTO to be an excellent source of information. Thank you very much,
This section confused me because it implies a connection between fwmarks and
local delivery requirement. But I know now that fwmarks still require the
to be delivered locally. The VIP can be removed with or without fwmarks.
> You can route traffic to gateways. This is the way your packets
> hit the other end of the world. The routers forward the traffic for
> addresses that are not local. Every box can receive packets for non-local
> addresses. Then there are many methods to treat this traffic as locally
> destined: ipchains -j REDIRECT, ip route add table XXX local 0/0 dev lo,
The ip route did the trick. Thank you. I had tried something similar
but missed the "local." Oh, so close! :-)
Thanks again for the quick response and the help! All is right my world
More information about the lvs-users