Mailing List Archive

-----Ursprüngliche Nachricht-----
Von: Jan Kasprzak <kas@fi.muni.cz>
> for ldirectord:
>
> virtual=virtualip:srvport
> real=realserver1:srvport masq 100
> real=realserver2:srvport masq 100
> [... scheduler and other parameters omitted for brevity ...]
>
> for iptables:
>
> iptables -t nat -A POSTROUTING -d realserver1 \
> -p tcp --dport srvport -j MASQUERADE
> iptables -t nat -A POSTROUTING -d realserver2 \
> -p tcp --dport srvport -j MASQUERADE
>
> Is this what you are looking for?

Well, a simple SNAT is what i want but i prefer to get it done by ipvsadm/ip_vs in Kernel. Thats how i understood the implementation by Jiaming Wu and Jian Chen according to http://kb.linuxvirtualserver.org/wiki/IPVS_FULLNAT_and_SYNPROXY. I just dont want to mess in userland with iptables manually.

Cheers

Stefan

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Hello,

Stefan Bauer wrote:
: according to latest stable kernel and
:
: net/netfilter/ipvs/ip_vs_conn.c
[...]
: there is still no support for Full-NAT in Kernel right? Or is this something i have to do in userland?

What do you mean by Full-NAT? Is it similar to what you get when
you use a user-space reverse proxy? I have been looking for this a month
ago - my real servers are on a different network than my IPVS redirector
and run a non-Linux OS, so things like tunnelling are hard to do there.

I have discovered that using IPVS with masq method and rewriting
the source address in iptables did exactly what I wanted. I use the
following configuration:

for ldirectord:

virtual=virtualip:srvport
real=realserver1:srvport masq 100
real=realserver2:srvport masq 100
[... scheduler and other parameters omitted for brevity ...]

for iptables:

iptables -t nat -A POSTROUTING -d realserver1 \
-p tcp --dport srvport -j MASQUERADE
iptables -t nat -A POSTROUTING -d realserver2 \
-p tcp --dport srvport -j MASQUERADE

Is this what you are looking for?

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| New GPG 4096R/A45477D5 - see http://www.fi.muni.cz/~kas/pgp-rollover.txt |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Hi,

I think he's talking about IPVS FULLNAT from this link :

http://kb.linuxvirtualserver.org/wiki/IPVS_FULLNAT_and_SYNPROXY

Sébastien ROHAUT

-----Message d'origine-----

Hello,

Stefan Bauer wrote:
: according to latest stable kernel and
:
: net/netfilter/ipvs/ip_vs_conn.c
[...]
: there is still no support for Full-NAT in Kernel right? Or is this something i have to do in userland?

What do you mean by Full-NAT? Is it similar to what you get when you use a user-space reverse proxy? I have been looking for this a month ago - my real servers are on a different network than my IPVS redirector and run a non-Linux OS, so things like tunnelling are hard to do there.

I have discovered that using IPVS with masq method and rewriting the source address in iptables did exactly what I wanted. I use the following configuration:

for ldirectord:

virtual=virtualip:srvport
real=realserver1:srvport masq 100
real=realserver2:srvport masq 100
[... scheduler and other parameters omitted for brevity ...]

for iptables:

iptables -t nat -A POSTROUTING -d realserver1 \
-p tcp --dport srvport -j MASQUERADE
iptables -t nat -A POSTROUTING -d realserver2 \
-p tcp --dport srvport -j MASQUERADE

Is this what you are looking for?

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net -
| private}> | New GPG 4096R/A45477D5 - see http://www.fi.muni.cz/~kas/pgp-rollover.txt |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
-------
Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels. L'intégrité de ce message n'étant pas assurée sur Internet, la SNCF ne peut être tenue responsable des altérations qui pourraient se produire sur son contenu. Toute publication, utilisation, reproduction, ou diffusion, même partielle, non autorisée préalablement par la SNCF, est strictement interdite. Si vous n'êtes pas le destinataire de ce message, merci d'en avertir immédiatement l'expéditeur et de le détruire.
-------
This message and any attachments are intended solely for the addressees and are confidential. SNCF may not be held responsible for their contents whose accuracy and completeness cannot be guaranteed over the Internet. Unauthorized use, disclosure, distribution, copying, or any part thereof is strictly prohibited. If you are not the intended recipient of this message, please notify the sender immediately and delete it.


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

-----Ursprüngliche Nachricht-----
Von: Jan Kasprzak <kas@fi.muni.cz>
> I think my configuration above does exactly this
> (well, I have omitted "lip" address, using SNAT to a different address
> instead of MASQUERADE would solve it).
>
> : I just dont want to mess in userland with iptables manually.
>
> OK, understood. For me it was still better than installing
> a reverse proxy for a single virtual service out of tens I already
> serve using IPVS.

Again, as far as i understood, no reverse proxy is required. It is handled by the ip_vs netfilter module if you use fullnat method.

Please correct my, if I'm wrong on this.

Stefan

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Stefan Bauer wrote:
: -----Ursprüngliche Nachricht-----
: Von: Jan Kasprzak <kas@fi.muni.cz>
: > for ldirectord:
: >
: > virtual=virtualip:srvport
: > real=realserver1:srvport masq 100
: > real=realserver2:srvport masq 100
: > [... scheduler and other parameters omitted for brevity ...]
: >
: > for iptables:
: >
: > iptables -t nat -A POSTROUTING -d realserver1 \
: > -p tcp --dport srvport -j MASQUERADE
: > iptables -t nat -A POSTROUTING -d realserver2 \
: > -p tcp --dport srvport -j MASQUERADE
: >
: > Is this what you are looking for?
:
: Well, a simple SNAT is what i want but i prefer to get
: it done by ipvsadm/ip_vs in Kernel. Thats how i understood
: the implementation by Jiaming Wu and Jian Chen according to
: http://kb.linuxvirtualserver.org/wiki/IPVS_FULLNAT_and_SYNPROXY.

From that page:

> The main principle is as follows: the module introduces local ip address
> (IDC internal ip address, lip), IPVS translates cip-vip to/from lip-rip,
> in which lip and rip both are IDC internal ip address, so that LVS load
> balancer and real servers can be in different vlans, and real servers
> only need to access internal network. See Virtual Server via Full NAT
> for more information.

I think my configuration above does exactly this
(well, I have omitted "lip" address, using SNAT to a different address
instead of MASQUERADE would solve it).

: I just dont want to mess in userland with iptables manually.

OK, understood. For me it was still better than installing
a reverse proxy for a single virtual service out of tens I already
serve using IPVS.

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| New GPG 4096R/A45477D5 - see http://www.fi.muni.cz/~kas/pgp-rollover.txt |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Stefan Bauer wrote:
: -----Ursprüngliche Nachricht-----
: Von: Jan Kasprzak <kas@fi.muni.cz>
: > I think my configuration above does exactly this
: > (well, I have omitted "lip" address, using SNAT to a different address
: > instead of MASQUERADE would solve it).
: >
: > : I just dont want to mess in userland with iptables manually.
: >
: > OK, understood. For me it was still better than installing
: > a reverse proxy for a single virtual service out of tens I already
: > serve using IPVS.
:
: Again, as far as i understood, no reverse proxy is required. It is handled by the ip_vs netfilter module if you use fullnat method.
:
: Please correct my, if I'm wrong on this.

Well, as you wrote, there it is not merged to mainline
(and definitely not available on my not-so-new IPVS server). So for me
it was either a user-space reverse proxy or IPVS+SNAT.

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| New GPG 4096R/A45477D5 - see http://www.fi.muni.cz/~kas/pgp-rollover.txt |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users