[RFC PATCH] Using LVS as a way to provide load-balanced internet

Ludo Stellingwerff ludo at protactive.nl
Thu Aug 4 06:40:01 BST 2005

Hash: SHA1

Horms wrote:

> I had a brief look over the patches and the seem ok to me. Except
> that I am not clear on the motivation of the following hooks.
> Doesn't this mean that ip_vs_in is registered in three separate
> places? Is this actually what you need?
Yes, as I try to redirect forwarded traffic (with addresses not local
to the director), I need to hook into NF_FORWARD. Ideally this has to
be a seperate ip_vs_forward_in function, but these patches are a
concept proof.
This new ip_vs_forward_in function should be limited to matching fwmarks.

Flow with these patches:
incoming packet -> PRE_ROUTING -> FORWARD -> ip_vs_in (returning
NF_ACCEPT, after changing skb->dst) -> POSTROUTING -> outgoing packet.

I'm also looking at the possibility of using the iptables REDIRECT
target to get rid of the forwarding hook and use the normal ip_vs_in,
but I'm not yet sure this will not mangle the original packet (It
should not loose the original destination data). At least reinject
should than be changed to return NF_STOLEN on the INPUT hook, and call
ip_forward() to get the packet on it's way again.

The flow for the packet will then become:
incoming packet -> PRE_ROUTING (REDIRECT)-> INPUT -> ip_vs_in
(returning NF_STOLEN, sending packet to ip_forward()) -> FORWARD ->
POSTROUTING -> outgoing packet.


- --
Ludo Stellingwerff

V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124

site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
Version: GnuPG v1.4.1 (GNU/Linux)


More information about the lvs-users mailing list