ipvsadm and local addresses
Let's say I have four machines with IP addresses 10.0.0.1 to 10.0.0.4 (all in
the same subnet - I'll refer to them as 1 to 4 from now on).
1 is the client, 2 is the LVS machine, 3 and 4 are the servers providing the
service. I set them up as follows:
ipvsadm -A -t 2:389 -s wlc
ipvsadm -a -t 2:389 -r 3 -m
ipvsadm -a -t 2:389 -r 4 -m
Now machine 1 tries to connect, here's the tcpdump output from machine 2:
22:33:43.903540 1.51673 > 2.389: S 3870790008:3870790008(0) win 5840 <mss
1460,sackOK,timestamp 409360083 0,nop,wscale 0> (DF) [tos 0x10]
22:33:43.903576 1.51673 > 3.389: S 3870790008:3870790008(0) win 5840 <mss
1460,sackOK,timestamp 409360083 0,nop,wscale 0> (DF) [tos 0x10]
So we see that the SYN packet has gone from the client to the IPVS machine and
been directed to one of the servers. However the server is on the same
subnet as the client and sends the response back to the client. The client
sees a packet from 3 when it's expecting a packet from 2 and drops it.
Therefore no connection!
I tried using iptables to masquerade the packets using SNAT to make the
replies come back to the IPVS machine, but it didn't work. It seems that
iptables and IPVS don't mix.
I can't use IP tunneling because the servers are running Solaris 2.6 in a very
fragile setup (so even if Solaris 2.6 supports such things I am not
enthusiastic about installing it).
I can't change the routing because the entire network setup is very fragile
and lible to break if I change such things (also there are so many machines
that the risk of human error when changing these things is significant, and
in the testing phase I will probably be turning the service on and off
repeatedly).
Any suggestions?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: