Mailing List Archive

If you use gateway/DR mode, it will not rewrite the IP packet (just the Ethernet headers to send it to the real server). So it will go the same port (as well as destination IP) as the original packet.

Did you actually try the config and have a problem, or are you just assuming it won't work?

David


On Nov 24, 2012, at 7:48 PM, Tomasz Chmielewski wrote:

> Hi,
>
> I'm trying to follow the documentation here to set up multi-port (http/https) persistence, with LVS-DR:
>
> 1) http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.multi-port.html
> 2) http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.fwmark.html#e-commerce_fwmark
>
>
> However, it doesn't make much sense to me.
>
> First, 2), under "25.6.2. iptables for 2.4 director" mentions:
>
> director:# iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 0.0.0.0/0 -d 192.168.2.110/32 \
> --dport http -j MARK --set-mark 2
> director:# iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 0.0.0.0/0 -d 192.168.2.110/32 \
> --dport https -j MARK --set-mark 2
>
> This would set the *same* mark 2 for ports 80 and 443.
>
> Then, how will LVS distinguish between what needs to be sent where?
>
> I.e. this snippet of ldirectord config:
>
> virtual = 2
> protocol = fwm
> scheduler = wlc
> persistent = 300
> real = server1:80 gate 20
> real = server2:80 gate 20
> real = server3:80 gate 20
> real = server4:80 gate 20
> virtualhost = example.com
> request = "/ping/"
> receive = "ALIVE"
> service = http
>
>
> will cause the traffic to be sent to port 80.
>
> But it will also send there (to port 80) all traffic incoming to port 443, since it has the same mark.
>
> So:
> - connections to port 80 will go to some realserver, port 80 (good)
> - connections to port 443 will go to some realserver, port 80 (bad!)
>
>
> Can you point where my reasoning is incorrect, and how should I use LVS to make sure traffic for 80/443 is always sent to the same real server?
>
>
>
> --
> Tomasz Chmielewski
> http://blog.wpkg.org
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

On 11/25/2012 03:12 AM, David Coulson wrote:
>
> If you use gateway/DR mode, it will not rewrite the IP packet (just
> the Ethernet headers to send it to the real server). So it will go
> the same port (as well as destination IP) as the original packet.
>
> Did you actually try the config and have a problem, or are you just
> assuming it won't work?

Hi,

with my current setup, I'm pretty sure port :80 may get directed to one
realserver, while port :443 may be directed to a different one.

I use marking in iptables, since some directors may be realservers, too.
My ldirectord config is as follows (251 and 2510 - marks made with
iptables):

virtual = 251
protocol = fwm
scheduler = wlc
persistent = 300
real = server1:80 gate 20
real = server2:80 gate 20
real = server3:80 gate 20
real = server4:80 gate 20
virtualhost = example.com
request = "/ping/"
receive = "ALIVE"
service = http

virtual = 2510
protocol = fwm
scheduler = wlc
persistent = 300
real = server1:443 gate 20
real = server2:443 gate 20
real = server3:443 gate 20
real = server4:443 gate 20
virtualhost = example.com
request = "/ping/"
receive = "ALIVE"
service = https


Am I correct to think that to use multi-port persistence, I'd have to
use just one iptables mark, and the following ldirectrd config:

virtual = $NEW_MARK
protocol = fwm
scheduler = wlc
persistent = 300
real = server1:0 gate 20
real = server2:0 gate 20
real = server3:0 gate 20
real = server4:0 gate 20
virtualhost = example.com
request = "/ping/"
receive = "ALIVE"
service = https


(basically, one mark in iptables, and :0 as a port in ldirectord config).

Let me know if that would be correct?


--
Tomasz Chmielewski
http://blog.wpkg.org

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Your 250/251 configs are essentially equivalent. The only difference is ldirectord is checking a different port for availability. In dr/gate mode, ipvs doesn't modify the port number at all. Your example with port zero would also work, except the ldirectord health checks would fail. You would either need to set a checkport directive, or change the port for each real server to something checkable.

As I said last time, in dr/gate mode ipvs doesn't care about the port in the real server as all it modifies is the dst MAC address in the Ethernet frame and does not touch the ip packet at all (including top headers).

Sent from my iPad

On Nov 25, 2012, at 6:52 AM, Tomasz Chmielewski <mangoo@wpkg.org> wrote:

> On 11/25/2012 03:12 AM, David Coulson wrote:
>>
>> If you use gateway/DR mode, it will not rewrite the IP packet (just
>> the Ethernet headers to send it to the real server). So it will go
>> the same port (as well as destination IP) as the original packet.
>>
>> Did you actually try the config and have a problem, or are you just
>> assuming it won't work?
>
> Hi,
>
> with my current setup, I'm pretty sure port :80 may get directed to one realserver, while port :443 may be directed to a different one.
>
> I use marking in iptables, since some directors may be realservers, too.
> My ldirectord config is as follows (251 and 2510 - marks made with iptables):
>
> virtual = 251
> protocol = fwm
> scheduler = wlc
> persistent = 300
> real = server1:80 gate 20
> real = server2:80 gate 20
> real = server3:80 gate 20
> real = server4:80 gate 20
> virtualhost = example.com
> request = "/ping/"
> receive = "ALIVE"
> service = http
>
> virtual = 2510
> protocol = fwm
> scheduler = wlc
> persistent = 300
> real = server1:443 gate 20
> real = server2:443 gate 20
> real = server3:443 gate 20
> real = server4:443 gate 20
> virtualhost = example.com
> request = "/ping/"
> receive = "ALIVE"
> service = https
>
>
> Am I correct to think that to use multi-port persistence, I'd have to use just one iptables mark, and the following ldirectrd config:
>
> virtual = $NEW_MARK
> protocol = fwm
> scheduler = wlc
> persistent = 300
> real = server1:0 gate 20
> real = server2:0 gate 20
> real = server3:0 gate 20
> real = server4:0 gate 20
> virtualhost = example.com
> request = "/ping/"
> receive = "ALIVE"
> service = https
>
>
> (basically, one mark in iptables, and :0 as a port in ldirectord config).
>
> Let me know if that would be correct?
>
>
> --
> Tomasz Chmielewski
> http://blog.wpkg.org

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users