Director not sending icmp unreachable to expired clients

Janusz Krzysztofik jkrzyszt at tis.icnet.pl
Mon Jan 22 18:26:36 GMT 2007 

Joe, Julian,

Thanks for your answers.

Joseph Mack NA3T wrote:
>> ... clients are not notified after their connections expire.
> hmm, expire == timeout?

Neither after timeout nor immediately when expire_nodest_conn is set.

> does the client get a new realserver?

Yes, unless it happened that subsequent packets were no longer correctly
marked with iptables, but that was my non-stadard use, of course.

> Why does the client need to know that the old realserver is no longer there?

New realserver just drops packets from affected clients until they do
rekey (every 8 hours by default).

>> ... I could not find any piece of code in the IPVS sources (linux 2.6.18) 
>> that would generate such error responses....
> Well there used to be icmp error handling code there.

I can find only two places where icmp_send() is used for the purpose of
generating port unreachable message:
- inside ip_vs_leave(), used in an overload case,
- inside ip_vs_out(), serving opposite direction.

Julian Anastasov wrote:
> 	So, for the problem in original posting: the IPVS users
> that need to send ICMP replies for VIPs should configure the VIPs
> in director. I'm not sure there will be another solution.

I managed to send icmp port unreachable originating from DIP using self 
patched icmp_send() that checks for sysctl_ip_nonlocal_bind, but that 
did not help my clients. Now I am going to try some logic used by 
netfilter tcp_reset to originate the icmp packet from VIP.
I will let you know if this helps.

Cheers,
Janusz

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list