Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
[lvs-users] coloring LVS-NAT connections internally using TOS/DSCP - reliable?
netdev at bof
Nov 7, 2013, 6:17 AM
Post #1 of 2 (823 views)
Permalink
Dear LVS users / gurus,

I came across an idea today, which even appears to work, that could
potentially reduce the number of ipvs realserver entries in an LVS-NAT
scenario where multiple ports need to be passed through to the
realservers.

Right now I have a separate (fwmark) virtualserver for port 80, and
several SSL ports that need different certificates on the realservers. The
usual mangle/PREROUTING marking selects which one to use.

Now the idea is to reduce the LVS setup itself to the port 80 server entry,
always select the same fwmark for that, but use rules in
mangle/PREROUTING like -j TOS --set-tos 0x04/0xfc, with different TOS
values.

All SSL connections then arrive at the realservers with dport 80, but
there I have nat/PREROUTING rules matching the TOS values, using -j
REDIRECT --to-port 44X to internally let the connection flow to the right
SSL port.

This appears to work quite nicely in a prototype setup.

My question would be: we run this on kernel 2.6.32 right now. That's a
little bit ancient, and will eventually be upgraded. Was there anything
changed in LVS kernel code since then that would make this TOS/DSCP
marking scheme fail?


best regards
Patrick
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] coloring LVS-NAT connections internally using TOS/DSCP - reliable? [ In reply to ]
ja at ssi
Nov 10, 2013, 3:40 AM
Post #2 of 2 (790 views)
Permalink
Hello,

On Thu, 7 Nov 2013, Patrick Schaaf wrote:

> Dear LVS users / gurus,
>
> I came across an idea today, which even appears to work, that could
> potentially reduce the number of ipvs realserver entries in an LVS-NAT
> scenario where multiple ports need to be passed through to the
> realservers.
>
> Right now I have a separate (fwmark) virtualserver for port 80, and
> several SSL ports that need different certificates on the realservers. The
> usual mangle/PREROUTING marking selects which one to use.
>
> Now the idea is to reduce the LVS setup itself to the port 80 server entry,
> always select the same fwmark for that, but use rules in
> mangle/PREROUTING like -j TOS --set-tos 0x04/0xfc, with different TOS
> values.
>
> All SSL connections then arrive at the realservers with dport 80, but
> there I have nat/PREROUTING rules matching the TOS values, using -j
> REDIRECT --to-port 44X to internally let the connection flow to the right
> SSL port.
>
> This appears to work quite nicely in a prototype setup.
>
> My question would be: we run this on kernel 2.6.32 right now. That's a
> little bit ancient, and will eventually be upgraded. Was there anything
> changed in LVS kernel code since then that would make this TOS/DSCP
> marking scheme fail?

It should be safe to change TOS, IPVS does not
use it.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal