[lvs-users] 2x LVS-DR director + realserver on one machine -> packet storm/looping
david at davidcoulson.net
Sun Oct 23 22:11:14 BST 2011
You could do something like
iptables -t mangle -A PREROUTING -p tcp --dport 80 -d 184.108.40.206 -j
MARK --set-mark 100
iptables -t mangle -A PREROUTING -m mac -mac-source xx:xx:xx:xx:xx:xx -j
MARK --set-mark 0
Then put your ipvsadm under fwm 100. Replace the MAC in the rule with
the MAC of the 'other' box, or you could change the first rule so it
verifies that the source MAC is that of your firewall or something.
Probably better to allow everything, then have it skip the stuff you
On 10/23/11 5:02 PM, Tomasz Chmielewski wrote:
> On 23.10.2011 22:47, David Coulson wrote:
>> What happens if you remove the ipvsadm rules on the host which does not
>> have the VIP active on eth0 on it?
> Then, no flood, works great.
> However, I'd rather have the rules set on both hosts, since it
> normally simplifies the setup (no need to reconfigure ipvsadm rules if
> the IP failsover etc.).
>> Sounds like both systems are running the packet through LVS and routing
>> it back and forth. I guess you could implement it with FWM and have it
>> not match packets coming from the MAC of the other director.
> Hmm, any more hints on such a rule?
>> When I've done a two-node environment with director and real on the same
>> box, I've always ran a private interconnect between them and routed
>> traffic over that.
> No such luck here!
More information about the lvs-users