[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipvsadm and local addresses

Let's say I have four machines with IP addresses to (all in 
the same subnet - I'll refer to them as 1 to 4 from now on).

1 is the client, 2 is the LVS machine, 3 and 4 are the servers providing the 
service.  I set them up as follows:

ipvsadm -A -t 2:389 -s wlc
ipvsadm -a -t 2:389 -r 3 -m
ipvsadm -a -t 2:389 -r 4 -m

Now machine 1 tries to connect, here's the tcpdump output from machine 2:
22:33:43.903540 1.51673 > 2.389: S 3870790008:3870790008(0) win 5840 <mss 
1460,sackOK,timestamp 409360083 0,nop,wscale 0> (DF) [tos 0x10]
22:33:43.903576 1.51673 > 3.389: S 3870790008:3870790008(0) win 5840 <mss 
1460,sackOK,timestamp 409360083 0,nop,wscale 0> (DF) [tos 0x10]

So we see that the SYN packet has gone from the client to the IPVS machine and 
been directed to one of the servers.  However the server is on the same 
subnet as the client and sends the response back to the client.  The client 
sees a packet from 3 when it's expecting a packet from 2 and drops it.  
Therefore no connection!

I tried using iptables to masquerade the packets using SNAT to make the 
replies come back to the IPVS machine, but it didn't work.  It seems that 
iptables and IPVS don't mix.

I can't use IP tunneling because the servers are running Solaris 2.6 in a very 
fragile setup (so even if Solaris 2.6 supports such things I am not 
enthusiastic about installing it).

I can't change the routing because the entire network setup is very fragile 
and lible to break if I change such things (also there are so many machines 
that the risk of human error when changing these things is significant, and 
in the testing phase I will probably be turning the service on and off 

Any suggestions?

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: