[lvs-users] Real server refuses packets originated from itself and redirected by LVS

Ondrej.Rajmon at cuzk.cz Ondrej.Rajmon at cuzk.cz
Thu Nov 5 16:27:00 GMT 2009 

Hello,
maybe  my question is generally about a Linux network subsystem but nevertheless, it is related to LVS.
My systems are RHEL5 and I have configured a load balancer-LVS (LB) and 2 real servers (RS1, RS2) with Apache. I use DR configuration described in RedHat documentation, so the VIP is configured just on LB. The real servers have just their real IPs configured and an acceptance of balanced packets is accomplished by an iptables rule with target REDIRECT:

iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport 80 -j REDIRECT

When connecting clients are external hosts, it works well. But when the client is on one of that real servers, it works just partialy. For example:

-          a client on RS1 connects to VIP -> LB redirects it to RS2   =>  it works fine

-          a client on RS1 connects to VIP -> LB redirects it to RS1   =>  it doesn't work

When RS1 connects to itself thru VIP, TCP connection is not established. Using tcpdump I can see that the SYN packet leaves an RS1's interface and immediately arrives back as it's redirected by LB. So it looks well and correctly. But when watching NAT-prerouting table, the packet doesn't appear there. It seems as the packet get lost somewhere between an input interface and the prerouting hook. I don't understand ... Can anybody explain that behaviour?

I know this is not the standard usage of the LVS and I have read HOWTO - LVS clients on Realservers. But the HOWTO discusses different model, where real servers have configured VIP on there interfaces so the solved problems are different. What I want is to understand what happens in the system.

More info:

-          IP addresses in packet are OK (src=<IP RS1>, dest=<VIP>)

-          MAC addr in packet are OK (LB swap src and dest MACs as expected)

-          iptables are empty except the NAT-prerouting (VIP=10.1.14.19 , RS1=10.1.14.13)

# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
LOG        tcp  --  10.1.14.13           0.0.0.0/0           LOG flags 0 level 7 prefix `testnat-src'
REDIRECT   tcp  --  0.0.0.0/0            10.1.14.19          tcp dpt:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination




Ondrej

More information about the lvs-users mailing list