[lvs-users] Port mapping with LVS-DR using fwmark

Jacoby Hickerson hickersonjl at gmail.com
Fri Jan 17 01:27:53 GMT 2014


I've searched Google and this mailing list but haven't quite seen the same
configuration and/or setup as mine.

The ldirectord documentation states that port mapping on the same server
where the director resides is not possible other than masq, however it says
"non-fwmark".  My setup is using fwmark, however, when trying to port map
from port 80 to another port, the client connection hangs.  Here are the
exact details of my setup:

The VIP is on the same box as the director and RIP 172.17.0.16.  This setup
works fine when no port mapping is being done, but I need to move the port
to something higher than 1024.

virtual=172.17.0.24:80
real=172.17.0.16:50000 gate 100
real=172.17.0.17:50000 gate 100
service=http
scheduler=rr
protocol=tcp
  checktype=connect
  fwmark=100

iptables:
iptables -t mangle -A PREROUTING -d 172.17.0.24/32 ! -i lo -p tcp -m tcp
--dport 80 -j MARK --set-xmark 0x64/0xffffffff
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 50000
iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 50000

Issue:
curl -v 'http://172.17.0.24'
* About to connect() to 172.17.0.24 port 80 (#0)
*   Trying 172.17.0.24...

00:41:44.503581 IP 172.17.0.2.46099 > 172.17.0.24.80: Flags [S], seq
1066084928, win 14600, options [mss 1460,sackOK,TS val 2520815062 ecr
0,nop,wscale 7], length 0
00:41:44.503581 IP 172.17.0.2.46099 > 172.17.0.24.80: Flags [S], seq
1066084928, win 14600, options [mss 1460,sackOK,TS val 2520815062 ecr
0,nop,wscale 7], length 0
00:41:44.503658 IP 172.17.0.16.50000 > 172.17.0.2.46099: Flags [S.], seq
824291086, ack 1066084929, win 14480, options [mss 1460,sackOK,TS val
9521949 ecr 2520815062,nop,wscale 7], length 0
00:41:44.503663 IP 172.17.0.16.50000 > 172.17.0.2.46099: Flags [S.], seq
824291086, ack 1066084929, win 14480, options [mss 1460,sackOK,TS val
9521949 ecr 2520815062,nop,wscale 7], length 0

So the problem I'm having is that the source ip is not being translated by
iptables but sent via lvs as the RIP.  Is there a kernel option, iptables
option or ipvsadm option that would allow it to change it back to the VIP?

Any help would be very appreciated!

Jacoby


More information about the lvs-users mailing list