[lvs-users] lvs tun and ipip fragments

Kelsey Cummings kgc at corp.sonic.net
Mon Jul 16 20:18:17 BST 2012

Julian, I haven't had time to test the patches yet but wanted to at
answer your questions.

On Mon, Jul 09, 2012 at 10:49:24AM +0300, Julian Anastasov wrote:
> > +       //clear the DF bit so the kernel will frag the packet
> > +       old_iph->frag_off = 0;
> 	Can you identify which of your both changes helps in
> your case. I guess the above change does not play at all,

I'm pretty sure the only reason I set 'old_iph->frag_off = 0' was to
cause the following "if" statement to evalutate as false in order to
prevent the icmp dest unreach/need frag packet from being transmitted.

> > -       iph->frag_off           =       df;
> > +       iph->frag_off           =       0;

And that's what gets the kernel to frag it once the skb is sent.

> 	Can you clarify details for your setup, do you
> have lower MTU in the path to your real server?

No, everything is 1500 ethernet in our current use case.  This goal is
to have a lvs-tun config which allows a flexible network design without
having to rely on selective MSS fixup on the RIPs or that the ICMP frag
needed packets will actually reach the client. 

Let me see what I can do about testing your patches, although I a global
sysctl variable to is probably the easiest solution.

> 	As a next step may be we can add global sysctl var
> to force Disable for IPVS-TUN PMTUD (your second change),
> it will take effect for all real servers. It will be
> needed if problem is caused by ICMP filtering in
> leg 1 (above case 1). Not sure if there is some netfilter
> mangling feature that can clear the outer DF for our
> IPIP packets in OUTPUT hook.

I wasn't able to find any, as this was another possible solution to the
problem and could be generally useful in other circumstances as well. 
Cisco supports this in combination with ipsec tunnels to allow the
router to frag the packet regardless of the original DF bit setting.

Kelsey Cummings - kgc at corp.sonic.net      sonic.net, inc.
System Architect                          2260 Apollo Way
707.522.1000                              Santa Rosa, CA 95407

More information about the lvs-users mailing list