On 9/23/2015 5:20 AM, Jan-Aage Frydenbø-Bruvoll wrote: > Hi, > > I am struggling with how to create appropriate rules for dealing with > IPVS IPIP encapsulated traffic. I would like to achieve the following: > - divide certain networks into named definitions and of varying > categories (i.e. our own networks, customer networks, etc) > - allow these networks directly to certain services > - allow the same networks to certain load balanced services (using IPVS > TUN) > > I have two load balancers each running keepalived/IPVS, as well as the > real services. > > I have used zones and hosts to define named groups of services. As each > server has an outward and an inward facing NIC, I have defined "ext" and > "int" zones accordingly, along with zones named admin and customer (with > appropriate networks listed in hosts). > > What I would like to achieve would be a chain where I can open for > traffic based on original src and real destination (a VIP on the > respective server), however what I get instead is the unencapsulated > IPIP traffic in the ext chain (with src = other load balancer in pair > and dst = this server), where it drops through all the rules and gets > rejected. > > As I have been trawling through both the Shorewall docs and google to no > avail, I was wondering if anyone could point me to the correct place to > continue digging? Any specific help would of course be greatly > appreciated - please let me know what further information I can supply.
It has been a long while since we had a question about IPVS, and I must admit that I've forgotten what little I once knew about it. There are several email threads in the mailing list archives that may be of help. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users