SNAT Confusion

Janusz Krzysztofik jkrzyszt at tis.icnet.pl
Wed Mar 21 12:00:28 GMT 2007 

Rodre Ghorashi-Zadeh napisał(a):
> I am using LVS-DR and not LVS-NAT.

So what did you mean saying:
 >>> realserver1 client (10.0.0.1:2777) -> director VIP (10.0.0.200:389)
 >>> -> DNAT 10.0.0.200:389 to 10.0.0.1:389 ...
I assumed this "DNAT" is LVS-NAT. If it is netfilter DNAT, it happens in 
nat PREROUTING hook, so how would your packets be processed by LVS INPUT 
hook, that expects VIP as destination address? Please give more details 
on your setup if there are any not mentiond yet, or think it over again.

  I tried this with your SNAT patch in
> place but it wasn't working, even though I could see the packets being 
> SNAT-ed to the "token" ip address, both in the iptables counters and 
> with tcpdump.
> 
Could you see replys as well? If you see them on the director comming 
and not leaving it, we have already suggested they could be dropped 
because their source addresses (VIP) match one of the director own 
addresses. Could you please confirm or deny if this is still true in 
your setup?

> Also, I tried SNAT-ing the initial request from the realserver to a 
> "token" ip address and used routing on the director in LVS-DR mode to 
> send the replies back to the client/realserver (your recommendation #3) 
> but this didn't work for me either.

Please be more specific. Trace your packets and describre what can you 
see and where do they disappear.

  Could you explain this setup a
> little better?


Using unmodified LVS-NAT:

1. realserver1 client: connect from RIP1:* to DMAC:VIP:389, SNAT RIP1:* 
to token:* before sending

2. director: LVS-NAT VIP:389 to RIP1:389, send to RMAC1:RIP1:389

3. relaserver1 service: accept, answer from RIP1:389 to DMAC:token:*

4. director: LVS-de-NAT RIP1:389 to VIP:389, send to RMAC1:token:*

5. realserver1 client: de-SNAT token:* to RIP1:*, accept.


Using unmodified LVS-DR:

1. realserver1 client: connect from RIP1:* to DMAC:VIP:389, but SNAT 
RIP1:* to token:* before sending (requirement: no VIP on the realserver)

2. director: LVS-DR send to RMAC1:VIP:389

3. relaserver1 service: DNAT VIP:389 to RIP1:389, accept, answer from 
RIP1:389 to DMAC:token:*, de-DNAT RIP1:389 to VIP:389 before sending

4. director (or another router): route to RMAC1:token:*

5. realserver1 client: de-SNAT token:* to RIP1:*, accept.


Janusz

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list