On 9/23/2015 5:20 AM, Jan-Aage Frydenbø-Bruvoll wrote:
> Hi,
> 
> I am struggling with how to create appropriate rules for dealing with
> IPVS IPIP encapsulated traffic. I would like to achieve the following:
>  - divide certain networks into named definitions and of varying
> categories (i.e. our own networks, customer networks, etc)
>  - allow these networks directly to certain services
>  - allow the same networks to certain load balanced services (using IPVS
> TUN)
> 
> I have two load balancers each running keepalived/IPVS, as well as the
> real services.
> 
> I have used zones and hosts to define named groups of services. As each
> server has an outward and an inward facing NIC, I have defined "ext" and
> "int" zones accordingly, along with zones named admin and customer (with
> appropriate networks listed in hosts).
> 
> What I would like to achieve would be a chain where I can open for
> traffic based on original src and real destination (a VIP on the
> respective server), however what I get instead is the unencapsulated
> IPIP traffic in the ext chain (with src = other load balancer in pair
> and dst = this server), where it drops through all the rules and gets
> rejected.
> 
> As I have been trawling through both the Shorewall docs and google to no
> avail, I was wondering if anyone could point me to the correct place to
> continue digging? Any specific help would of course be greatly
> appreciated - please let me know what further information I can supply.

It has been a long while since we had a question about IPVS, and I must
admit that I've forgotten what little I once knew about it. There are
several email threads in the mailing list archives that may be of help.

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to