> Ah okay, I expected bind :*12340 interface eth1 to listen to traffic > coming to the interface, not to bind to al ips which are bound to the > interface at the moment of starting haproxy. If that's really the case, > the documentation of bind interface could be improved.
I think you misunderstood what the bind configuration and the interface keyword are actually doing. Your problem is not the interface keyword, its the bind configuration in itself. You are omitting the <address> configuration in the bind statement, which as per documentation [1] means: > If unset, all IPv4 addresses of the system will be > listened on. Since your VIP is not active at the time haproxy starts, it will not listen on that particular IP address even if keeepalived enables it (later). At least, this is what we suspect. The interface keyword just *further restricts* the traffic to a specific source interface, but DOES NOT affect what IP addresses the daemon is bound to. Doc [2]: > When specified, *all addresses on the same line* will only > be accepted if the incoming packets physically come through the designated > interface. Also see [3]: > SO_BINDTODEVICE > Bind this socket to a particular device like "eth0", as specified in the > passed interface name. If the name is an empty string or the option > length is zero, the socket device binding is removed. The passed > option is a variable-length null-terminated interface name string > with the maximum size of IFNAMSIZ. If a socket is bound to an > interface, only packets received from that particular interface > are processed by the socket. When you use the /proc/sys/net/ipv4/ip_nonlocal_bind feature of your kernel, you need to bind your application to that specific IP address, because otherwise neither the kernel nor the application can know what IP address the socket is supposed to bind to (this is not haproxy specific). So if you rely on the ip_nonlocal_bind, bind to specific addresses. Why don't you check with "netstat -ntlp" what haproxy is actually binding to? Only that way we can be sure if what we suspect here is actually the case or not. Also, try if binding to * or 0.0.0.0 changes the behavior (verify with netstat). I do agree the explanation of the interface keyword in the docs is not crystal clear. I will do some testing and see if I can come up with a more obvious description of it. [1] http://cbonte.github.com/haproxy-dconv/configuration-1.5.html#bind [2] http://cbonte.github.com/haproxy-dconv/configuration-1.5.html#5-interface [3] http://linux.die.net/man/7/socket
