On Thu, Nov 05, 2009 at 05:27:00PM +0100, [email protected] wrote: > Hello, > maybe my question is generally about a Linux network subsystem but > nevertheless, it is related to LVS. My systems are RHEL5 and I have > configured a load balancer-LVS (LB) and 2 real servers (RS1, RS2) with > Apache. I use DR configuration described in RedHat documentation, so the > VIP is configured just on LB. The real servers have just their real IPs > configured and an acceptance of balanced packets is accomplished by an > iptables rule with target REDIRECT: > > iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport 80 -j REDIRECT > > When connecting clients are external hosts, it works well. But when the > client is on one of that real servers, it works just partialy. For example: > > - a client on RS1 connects to VIP -> LB redirects it to RS2 => it > works fine > > - a client on RS1 connects to VIP -> LB redirects it to RS1 => it > doesn't work > > When RS1 connects to itself thru VIP, TCP connection is not established. > Using tcpdump I can see that the SYN packet leaves an RS1's interface and > immediately arrives back as it's redirected by LB. So it looks well and > correctly. But when watching NAT-prerouting table, the packet doesn't > appear there. It seems as the packet get lost somewhere between an input > interface and the prerouting hook. I don't understand ... Can anybody > explain that behaviour? > > I know this is not the standard usage of the LVS and I have read HOWTO - > LVS clients on Realservers. But the HOWTO discusses different model, > where real servers have configured VIP on there interfaces so the solved > problems are different. What I want is to understand what happens in the > system.
Hi, as I understand it generally real-servers connecting to a LVS-DR virtual-services of which it is a member is thought to not work. Though your approach of using iptables does seem to get quite close to something that works. I wonder if the problem that you are seeing is that the real-server is rejecting the packet received from the director as a martian (that is, a packet from itself). There are some martian controls in /proc, perhaps you could experiment with these? I also wonder if a different approach could work. Assuming that the connection from the real-server doesn't need to be load-balanced, I wonder if an iptables rule could be constructed such that the real-server just directly connects to itself when accessing the VIP. _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
