[lvs-users] ipvsadm and packets leaving a gre tunnel

Joseph Mack NA3T jmack at wm7d.net
Fri Aug 1 17:17:29 BST 2008 

On Fri, 1 Aug 2008, Marco Lorig wrote:

>> With the tunnel in place, can you initiate an outbound 
>> SSH connection from the realserver to the client machine? 
>> Are you absolutely sure that the path this will follow 
>> the same route as the data from the realserver under 
>> normal conditions?
>>
>> I have a sneaking feeling that the realserver is sending 
>> packets of 1460 bytes (ethernet MTU less L2 framing) but 
>> the "secondary" director, ie. the tunnel endpoint at the 
>> realserver's end, is dropping them because they don't fit 
>> inside the tunnel.
>
> I do a scp both times only from the client to the server:
>
> client:# scp file root at IPVSADM-address:/tmp/
>
> This works. The client sends the first packets with a mtu 
> which doesn´t fit into the tunnel and recieves ICMP 
> UNREACHABLE Need to fragment.
>
> client:# scp root at IPVSADM-address:/tmp/file .
>
> This doesn´t work. The Realserver tries to send packets 
> which doesn´t fit into the tunnel but DOES NOT receive any 
> ICMP packet.

so ip_vs() is not handling icmp correctly at least for 
LVS-NAT. Thanks for tracking this down. icmp handling has 
been built into LVS since the really early days. I doubt if 
gre was in anyone's mind at the time. I think it was mostly 
for host unreachable.

Horms, Julian,

Is there a fix for this?

> I tried setting sysctl nat_icmp_send to 1 but that doesn´t 
> change the behaviour at all.

ip_vs() does its own nat'ing, so using commands from 
iptables will not help.

Joe

> There was only one attempt which worked (the realserver 
> got an ICMP UNREACHABLE NEED TO FRAG)  but unfortunately I 
> can´t reproduce it.
>
> So the realserver is never going to realise that it´s 
> packets are too big.
>
> I think, that´s the gist of the matter.
>
> Any ideas?
>
> Thanks in advance.
> Have a nice weekend.
>
> cheers
>
> Marco
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

More information about the lvs-users mailing list