[lvs-users] Real server refuses packets originated from itself and redirected by LVS

Simon Horman horms at verge.net.au
Fri Nov 6 00:19:56 GMT 2009

On Thu, Nov 05, 2009 at 05:27:00PM +0100, Ondrej.Rajmon at cuzk.cz wrote:
> Hello,
> maybe  my question is generally about a Linux network subsystem but
> nevertheless, it is related to LVS.  My systems are RHEL5 and I have
> configured a load balancer-LVS (LB) and 2 real servers (RS1, RS2) with
> Apache. I use DR configuration described in RedHat documentation, so the
> VIP is configured just on LB. The real servers have just their real IPs
> configured and an acceptance of balanced packets is accomplished by an
> iptables rule with target REDIRECT:
> iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport 80 -j REDIRECT
> When connecting clients are external hosts, it works well. But when the client is on one of that real servers, it works just partialy. For example:
> -          a client on RS1 connects to VIP -> LB redirects it to RS2   =>  it works fine
> -          a client on RS1 connects to VIP -> LB redirects it to RS1   =>  it doesn't work
> When RS1 connects to itself thru VIP, TCP connection is not established.
> Using tcpdump I can see that the SYN packet leaves an RS1's interface and
> immediately arrives back as it's redirected by LB. So it looks well and
> correctly. But when watching NAT-prerouting table, the packet doesn't
> appear there. It seems as the packet get lost somewhere between an input
> interface and the prerouting hook. I don't understand ... Can anybody
> explain that behaviour?
> I know this is not the standard usage of the LVS and I have read HOWTO -
> LVS clients on Realservers. But the HOWTO discusses different model,
> where real servers have configured VIP on there interfaces so the solved
> problems are different. What I want is to understand what happens in the
> system.


as I understand it generally real-servers connecting to a LVS-DR
virtual-services of which it is a member is thought to not work.
Though your approach of using iptables does seem to get quite
close to something that works. I wonder if the problem that you are
seeing is that the real-server is rejecting the packet received from
the director as a martian (that is, a packet from itself). There
are some martian controls in /proc, perhaps you could experiment with

I also wonder if a different approach could work. Assuming that
the connection from the real-server doesn't need to be load-balanced,
I wonder if an iptables rule could be constructed such that
the real-server just directly connects to itself when accessing the VIP.

More information about the lvs-users mailing list