[lvs-users] feedback loop

Mike Ruskai thannyd at earthlink.net
Sat Feb 4 03:06:30 GMT 2017

On 2/3/2017 20:40, Zetan Drableg wrote:
> Hi, I have two nodes running ipvs/keepalived and syslog-ng for the load
> balanced service. Both nodes have a single network interface in production,
> but two in my local test kitchen. (eth0 for vagrant, eth1 for the multi
> node comms).
> I have discovered a feedback loop between both directors causing 100%
> network utilization. The same packets are being played over and over again
> (verified by packet contents timestamp).
> I have read this, but the solution is not clear.
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.localnode.html
> When running both the ipvs director and the real server on the same box, do
> I need to use firewall marks and -t mangle based on mac-source of the other
> box?

I have not configured such a setup, but according to the page you 
referenced, as well as the basic logic of the situation, you need to 
change your configuration from IP and port to firewall mark.

You want to mark all traffic on the target ports, UNLESS it's coming 
from the other director, as that would allow the loop condition.

Here's an iptables option string from that page:

-t mangle -I PREROUTING -d $VIP -p tcp -m tcp --dport $VPORT -m mac \ ! 
--mac-source $MAC_NODE2 -j MARK --set-mark 0x6

Here's something that might work for your syslog-tls service (use the 
correct MAC, of course):

-t mangle -I PREROUTING -d -p tcp --dport 6514 -m \! 
--mac-source aa:bb:cc:dd:ee:ff -j MARK --set-mark 6514

Then instead of this:

! tcp 6514 for syslog-tls
virtual_server 6514 {

You'd use this:

! tcp 6514 for syslog-tls
virtual_server fwmark 6514 {

On the other director, you'd do the same thing, with the only difference being the exclusion of the first director's MAC address in the firewall mark statements.

The firewall mark number is arbitrary, of course. Using the port number just makes it easy to keep track of things, unless you end up needing multiple IP's on the same port.

More information about the lvs-users mailing list