Questions about LVS-TUN

Bill Omer bill.omer at gmail.com
Tue Dec 12 18:35:33 GMT 2006 

On 12/12/06, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> On Tue, 12 Dec 2006, Bill Omer wrote:
>
> > Currently I am using LVS-DR with much successes.  One part I would
> > like to build upon is the real's dependencies' on iptables using the
> > nat table to accept VIP traffic.  I would like to find a way to allow
> > the reals to accept VIP traffic without any modifications to the
> > real's them selfs.
> >
> > I am using the following on all of my reals to access traffic with a DST of
> > VIP:
> > iptables -t nat -A PREROUTING -d VIP -p tcp --dport 0:65535  -j REDIRECT
>
> This may not be doing what you want. As of the 2.4 kernels
> the packet doesn't arrive with IP==VIP anymore. See the
> HOWTO for transparent proxy. This is OK for squids but not
> for LVS.
>

I'll check the howto.

> > Scenario (assuming wlc):
> > A real boots but for some reason, the iptables are not applied.
>
> You want LVS to handle both iptables applied/not applied?
> You haven't explained why so I don't know how important this
> is. If it's an error situation, then you're better off
> fixing the error at its cause, than handling it later. No
> machine should be in a state where iptables hasn't been run,
> if you told it to run.

*Should* be ran, yes, I agree.  However I did run in to a situation
where this did happen, which is far from the fault of lvs its self,
but it is reasoning for why I want to find a new solution.

>
> > Now
> > mon/keepalived sees the real is now responding again and re-adds the
> > server back to the ipvsadm table.  Since this real doesn't have any
> > active connections, all new connections are routed to this real.
>
> rr helps here. Still the thundering herd problem has to be
> handled in user space (until someone writes a fix).

Implementing LVS in this environment was to get around using DNS based
Round Robin, so this would be counter productive.


> > Since the iptable rules did not run, now the service the client is
> > trying to access is completely unavailable.
> >
> >
> > I am not able use LVS-NAT in my environment.  I would like to find a
> > way to have VIP traffic routed to the reals without needing any
> > modifications to the reals them selfs, much like commercial load
> > balancers work.
>
> maybe I don't understand your situation, but unless you
> handle the arp problem, traffic will go to the realservers.
>

Traffic does go to the realservers, but the DST is that of the VIP.
There has to be modifications to the realserver in order for it to
accept that traffic.

>
> > Is LVS-TUN able to do this?
>
> I don't know what "this" is.

I want to find a way for LVS to route traffic to a real server while
the real is operating as a regular, stand alone server, without any
modifications.  I dont want to change the default route or add iptable
rules to the real server.

> > Would the reals require a tunl0 interface
> > as well as the director?
>
> for LVS-Tun, only the realserver requires a tunl0 device
> (the director doesn't because traffic is one-way).
>
> Joe
>

Regards,
-Bill

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list