LVS-DR w/ fwmarks and no VIP on director

Joseph Mack mack.joseph at
Thu Apr 8 15:55:15 BST 2004

Sheldon Hearn wrote:
> On Thu, 2004-04-08 at 15:17, Joseph Mack wrote:
> > > Yeah, I just can't see it at all.  I've read HOWTO.fwmark and section
> > > 8.2. (Routing to and accepting packets by a VIP-less director), and I
> > > don't see anything that turns on a light bulb above my head. :-)
> >
> > You need to arrange for the director to accept packets for the VIP. With
> > 2.0 and 2.2 this was done with transparent proxy. The 2.4 TP doesn't work
> > for 2.4 for LVS and you need to apply a patch to get it to work.
> Oooooh, then I really _did_ misunderstand quite horribly.  I thought it
> was possible to produce a VIP-less director, but that changes in the 2.4
> kernel had made this (VIP-less director) incompatible with transparent
> proxy.  I didn't realize that transparent proxy is actually the
> mechanism through which a VIP-less director is possible!

I'll fix the HOWTO

It would be better if TP wasn't needed and LVS would accept the
packet (ipvsadm already knows that packets with a particular fwmark
are LVS packets), but Julian says there's a bit of work involved and with
few people using fwmark, there isn't much motivation for
him to code it up.

> Damn, that's a bit of a spanner in the works.  But not completely
> unmanageable, I guess.  I'll ask Google for a way to configure whole
> ranges of aliases on network interfaces on Linux.

you can put on a NIC. There is a note from Ted Pavlic 
on doing this. I think it's really nasty myself, but you can
test your setup with it.

> > > The real trouble will come when I have to figure out how to get the
> load
> > > balancers on the other side of the Zorp cluster to ensure that return
> > > traffic goes back through the proxy it came in through. :-)
> >
> > I have not a clue what this means.
> Well, I'm building a cluster of transparent TCP proxy hosts.  Since the
> TCP proxies are bidirectional, it's important that all the traffic
> associated with a single TCP connection pass through a single TCP proxy
> host.

-dh scheduler? (maybe, not sure that I understand your situation yet).
> Therefore, not only do I need a load balancer between the proxies and
> the outside world, but I also need a load balancer between the proxies
> and the protected, interior hosts.  The interior load balancer will have
> to keep track of the Ethernet source address of the proxy host
> associated with each tracked connection, so that return traffic from the
> protected, interior hosts passes out through the correct proxy host.

hmm, hopefully you can solve this with routing (I don't know that you can,
it's just a hope). In case you need inspiration try

Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb at

More information about the lvs-users mailing list