SNAT Confusion

Rodre Ghorashi-Zadeh rodrico7 at hotmail.com
Fri Mar 16 18:33:47 GMT 2007 

Hello and thanks to the both of you for your replies,

In getting closer to a solution:

>Exactly as I was before. Then I reread all Julian's writings on this matter 
>and understood that saying SNAT he meant changing RIP source address back 
>to VIP on packets traversing LVS-NAT director back to clients (OUT 
>direction).

I understand that Julian's patch will not help me, but in trying to put an 
end to my confusion:
Doesn't the LVS-NAT automatically change the RIP source address back to the 
VIP address as it traverses the director by default (without the NFCT 
patch)?

>Yes, exactly, and not only SNAT, but full conntrack as well. But please 
>remember, this is my own solution, not supported by LVS people in any way, 
>and not yet commented by them, so it may stop working for future versions 
>of IPVS.

This patch didn't look very big so I manually made the inclusions to the 
ip_vs_core.c file, which compiled and to the ip_vs_xmit.c, which didn't 
compile, on a centos 2.6.9 based kernel. Not suprisingly it didn't work. I 
tryed to patch both a 2.6.17 and 2.6.19 fedora 5 based kernel and the patch 
failed on both during the patch of the ip_vs_xmit.c phase:

in ip_vs_xmit.c.rej:

----------------Start----------------

***************
*** 127,133 ****

  #define IP_VS_XMIT(skb, rt)                            \
  do {                                                   \
-       (skb)->ipvs_property = 1;                       \
        (skb)->ip_summed = CHECKSUM_NONE;               \
        NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL,  \
                (rt)->u.dst.dev, dst_output);           \
--- 127,132 ----

  #define IP_VS_XMIT(skb, rt)                            \
  do {                                                   \
        (skb)->ip_summed = CHECKSUM_NONE;               \
        NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL,  \
                (rt)->u.dst.dev, dst_output);           \

------------End-------------------

So I manually made the changes to both files on a 2.6.19 fedora 5 based 
kernel and comiled without errors, but it doesn't seem to be working. So my 
questions regarding the "Janusz" patch are:

What are the chances of getting a back port of this patch to a 2.6.9 based 
kernel? This would help both Redhat 4 and CentOS 4 users. (Sorry, I had to 
ask).

Do you think this patch will work on a 2.6.19 kernel or a fedora 2.6.17 
kernel ? If not can you provide a link to the latest kernel version that 
this patch is know to work with?

Thanks for all you help.

~Rod



>From: Janusz Krzysztofik <jkrzyszt at tis.icnet.pl>
>To: "LinuxVirtualServer.org users mailing list." 
><lvs-users at LinuxVirtualServer.org>
>CC: rodrico7 at hotmail.com
>Subject: Re: SNAT Confusion
>Date: Fri, 16 Mar 2007 12:19:45 +0100
>
>Rodre Ghorashi-Zadeh napisa³(a):
>>I am totally confused about the whole SNAT, snat_reroute, NFCT, etc. I 
>>have downloaded Julian's NFCT patch for my kernel (centos 4.4 
>>2.6.9-42.0.10.ELsmp), patched/built/installed the kernel, echoed 1 > 
>>/proc/sys/net/ipv4/vs/conntrack & and snat_reroute, wrote an iptables rule 
>>that looks like this: iptables -t nat -A POSTROUTING -p tcp -s $MYIP -d 
>>$RIP --dport $SOMEPORT -j SNAT --to-source $DEFAULTGATE, sent the 
>>appropriate traffic that should get caught and manipulated by the previous 
>>rule, experienced no results ...
>
>Exactly as I was before. Then I reread all Julian's writings on this matter 
>and understood that saying SNAT he meant changing RIP source address back 
>to VIP on packets traversing LVS-NAT director back to clients (OUT 
>direction).
>
>>... does the patch provided by Janusz Krzysztofik at 
>>http://www.icnet.pl/download/ip_vs_dr-conntrack.patch allow you to at 
>>least do an iptables style SNAT to LVS-DR type packets?
>
>Yes, exactly, and not only SNAT, but full conntrack as well. But please 
>remember, this is my own solution, not supported by LVS people in any way, 
>and not yet commented by them, so it may stop working for future versions 
>of IPVS.
>
>Julian, Joe, Horms, maybe others, could you please share your opinions on 
>this matter?
>
>Thanks,
>Janusz
>

_________________________________________________________________
Your Space. Your Friends. Your Stories. Share your world with Windows Live 
Spaces. http://spaces.live.com/?mkt=en-ca

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list