Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
Experiencing problems with IPVS 0.2.5 / 2.4.2
robzr at cemu
Mar 21, 2001, 3:02 PM
Post #1 of 4 (438 views)
Permalink
This is my first post to the list, I use ipvsadm for a staging/preproduction
environments at my work. What a cool package!

I began using the FW Mark to create groupings for virtual servers, and I
noticed a problem with port translation. Here's the environment:

Linux 2.4.2 / IPVS 0.2.5 / ipvsadm 1.15 / IPTables 1.2

First I made a IPTables entry:

iptables -t mangle -A PREROUTING -d 10.1.2.25 -p tcp --dport 443 -j MARK --set-mark 25

then the corresponding ipvs entry:

ipvsadm -A -f 25 -p -s rr
ipvsadm -a -f 25 -r s11-vpn:448 -m
ipvsadm -a -f 25 -r s26-vpn:448 -m

As you can see it translates from port 448 <-> 443. With persistance turned
off, it works exactly as expected. With persistance on, it does not translate
the port - ie it hits the real servers on port 443 instead of 448. There are
not conflicting rules BTW. Is this a bug or am I overlooking something?

The reason I am using 2.4.2/iptables/IPVS 0.2.5 BTW is because with ipchains
and ipvs-1.0.3 I could not use the DNAT target to ssh into my real servers.
I made a ipvsadm port 22 target (persistant) to them, but even when I set
the persistant timeout to an ungodly huge number the connections still timed
out and froze the ssh connection in a matter of minutes.

Rob
Re: Experiencing problems with IPVS 0.2.5 / 2.4.2 [ In reply to ]
ja at ssi
Mar 21, 2001, 6:55 PM
Post #2 of 4 (430 views)
Permalink
Hello,

On Wed, 21 Mar 2001, Gargamel Jonez wrote:

> This is my first post to the list, I use ipvsadm for a staging/preproduction
> environments at my work. What a cool package!
>
> I began using the FW Mark to create groupings for virtual servers, and I
> noticed a problem with port translation. Here's the environment:
>
> Linux 2.4.2 / IPVS 0.2.5 / ipvsadm 1.15 / IPTables 1.2
>
> First I made a IPTables entry:
>
> iptables -t mangle -A PREROUTING -d 10.1.2.25 -p tcp --dport 443 -j MARK --set-mark 25
>
> then the corresponding ipvs entry:
>
> ipvsadm -A -f 25 -p -s rr
> ipvsadm -a -f 25 -r s11-vpn:448 -m
> ipvsadm -a -f 25 -r s26-vpn:448 -m
>
> As you can see it translates from port 448 <-> 443. With persistance turned
> off, it works exactly as expected. With persistance on, it does not translate
> the port - ie it hits the real servers on port 443 instead of 448. There are
> not conflicting rules BTW. Is this a bug or am I overlooking something?

Bug. The patch against 0.2.5/0.2.6 is attached. Please test!

> The reason I am using 2.4.2/iptables/IPVS 0.2.5 BTW is because with ipchains
> and ipvs-1.0.3 I could not use the DNAT target to ssh into my real servers.
> I made a ipvsadm port 22 target (persistant) to them, but even when I set
> the persistant timeout to an ungodly huge number the connections still timed
> out and froze the ssh connection in a matter of minutes.
>
> Rob


Regards

--
Julian Anastasov <ja@ssi.bg>

Attached Files:

Re: Experiencing problems with IPVS 0.2.5 / 2.4.2 [ In reply to ]
wensong at gnuchina
Mar 22, 2001, 4:08 AM
Post #3 of 4 (429 views)
Permalink
Hi,

On Thu, 22 Mar 2001, Julian Anastasov wrote:

>
> Hello,
>
> On Wed, 21 Mar 2001, Gargamel Jonez wrote:
>
> > This is my first post to the list, I use ipvsadm for a staging/preproduction
> > environments at my work. What a cool package!
> >
> > I began using the FW Mark to create groupings for virtual servers, and I
> > noticed a problem with port translation. Here's the environment:
> >
> > Linux 2.4.2 / IPVS 0.2.5 / ipvsadm 1.15 / IPTables 1.2
> >
> > First I made a IPTables entry:
> >
> > iptables -t mangle -A PREROUTING -d 10.1.2.25 -p tcp --dport 443 -j MARK --set-mark 25
> >
> > then the corresponding ipvs entry:
> >
> > ipvsadm -A -f 25 -p -s rr
> > ipvsadm -a -f 25 -r s11-vpn:448 -m
> > ipvsadm -a -f 25 -r s26-vpn:448 -m
> >
> > As you can see it translates from port 448 <-> 443. With persistance turned
> > off, it works exactly as expected. With persistance on, it does not translate
> > the port - ie it hits the real servers on port 443 instead of 448. There are
> > not conflicting rules BTW. Is this a bug or am I overlooking something?
>
> Bug. The patch against 0.2.5/0.2.6 is attached. Please test!
>

The fwmark-based virtual service usually assumes that the port number(s)
of real services is equal to the port number(s) of virtual service,
because one fwmark virtual service may group many load balanced services.
For example, we can mark dport 22, 80 and 443 as the value 25, then we
should direct packets to those ports at the real servers respectively, if
we direct the packets marked with 25 to port 448, there will be problems.

Since it is out of control of ipvsadm how many ports users specify to mark
in a single marking-value, we cannot add more checking in ipvsadm program.
Anyway, I should document this fwmark-based service assumption.

For the above example, the port number of real service is different to
that of virtual service, it is good to use normal virtual service, like
ipvsadm -A -t 10.1.2.25:443 -p -s rr
ipvsadm -a -t 10.1.2.25:443 -r s11-vpn:448 -m
ipvsadm -a -t 10.1.2.25:443 -r s26-vpn:448 -m

Thanks,

Wensong


> > The reason I am using 2.4.2/iptables/IPVS 0.2.5 BTW is because with ipchains
> > and ipvs-1.0.3 I could not use the DNAT target to ssh into my real servers.
> > I made a ipvsadm port 22 target (persistant) to them, but even when I set
> > the persistant timeout to an ungodly huge number the connections still timed
> > out and froze the ssh connection in a matter of minutes.
> >
> > Rob
>
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
Re: Experiencing problems with IPVS 0.2.5 / 2.4.2 [ In reply to ]
ja at ssi
Mar 22, 2001, 7:15 PM
Post #4 of 4 (427 views)
Permalink
Hello,

On Thu, 22 Mar 2001, Wensong Zhang wrote:

> The fwmark-based virtual service usually assumes that the port number(s)
> of real services is equal to the port number(s) of virtual service,
> because one fwmark virtual service may group many load balanced services.

... and particulary the persistent fwmark service.

> For example, we can mark dport 22, 80 and 443 as the value 25, then we
> should direct packets to those ports at the real servers respectively, if
> we direct the packets marked with 25 to port 448, there will be problems.

Hm, yes, it seems the both cases are equally useful:

1. To preserve the port (always for DR and TUN), currently implemented.

2. To forward all connections to one RPORT (only for NAT but why
persistent). For example,

FWM 1 www.domain1.com and www.domain2.com -> RIP:80 (httpd)
FWM 2 www.domain3.com and www.domain4.com -> RIP:81 (httpd)

May be better to keep the current variant.

> Since it is out of control of ipvsadm how many ports users specify to mark
> in a single marking-value, we cannot add more checking in ipvsadm program.
> Anyway, I should document this fwmark-based service assumption.
>
> For the above example, the port number of real service is different to
> that of virtual service, it is good to use normal virtual service, like
> ipvsadm -A -t 10.1.2.25:443 -p -s rr
> ipvsadm -a -t 10.1.2.25:443 -r s11-vpn:448 -m
> ipvsadm -a -t 10.1.2.25:443 -r s26-vpn:448 -m
>
> Thanks,
>
> Wensong


Regards

--
Julian Anastasov <ja@ssi.bg>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal