identd on VS-DR
mack.joseph at epa.gov
Wed Jan 24 18:35:54 GMT 2001
Julian Anastasov wrote:
> So, we can not query for VIP:VPORT-CIP:CPORT from RIP. I don't
> see a solution. The main restriction in the DR/TUN setups where the VIPs
> are shared is: only one host can initiate connections with a shared
> address - the director in our setup. If the real servers initiate
> connections they can autoselect source ports for the IDENT requests
> that are busy in the director. May be some form of NAT in the real
> server is required that will translate the VIP to some unused valid
> RIP2 and will pass the connection to the director for masquerading.
> The trick is that only the VIP must be changed to RIP2 but preserving
> the port value. It is assumed that there are no ports used for RIP2.
> Why we send the request through the director. Because we need a valid
> free port for the VIP address and the director is the only authority
> for this port.
> How to change saddr=VIP to RIP2? May be with netfilter?
> May be with dumb nat? We can investigate this if the above idea is
Seems OK to me and this is what I was wondering. If you can port forward, it
seem possible to IP forward. I don't know how you can NAT within
one box and I don't know how to get netfilter to change packets with
saddr=vip:high_port to rip:high_port for outbound and to do the reverse
for inbound packets.
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph at epa.gov ph# 919-541-0007, RTP, NC, USA
More information about the lvs-users