Mailing List Archive

[lvs-users] Reroute SYN packet when it could not be delivered to the backend
Hi,

I have a special use case for the Direct Routing (DR) mode.
Is there a possibility to reroute SYN packets, when they can not be
delivered to the backend? It could be easily detected by several SYN
packets being sent.

Here is how you can reproduce this situation:
1) configure ipvs with direct routing for two backends
2) run "while true; do curl vip; sleep 0.1; done" on some remote client
3) run tcpdump on the ipvs host
4) create a DROP iptables rule for the 80th port on the second backend
5) monitor multiple identical SYN requests on the ipvs host
6) monitor multiple identical SYN requests on the ipvs host, even when
you remove failed backend

My assumption was, that ipvs should redirect SYN packets, since there
is no established connection yet. Did I miss something?

I'd appreciate any help.

Regards

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Reroute SYN packet when it could not be delivered to the backend [ In reply to ]
On 12 Apr 2018, at 15:28, kay <kay.diam@gmail.com> wrote:
> I have a special use case for the Direct Routing (DR) mode.
> Is there a possibility to reroute SYN packets, when they can not be
> delivered to the backend? It could be easily detected by several SYN
> packets being sent.

Firstly, please susbcribe to the list so your messages don’t get held for moderation.

To answer your question: you need an extra application to do this. There are several, but I’d suggest you look at keepalived as a first option.

There was much discussion many years ago (20 or so) about putting realserver/backend monitoring into IPVS, but it was felt at the time that this wasn’t a kernel function and should be handled by a userspace application. That still applies today.

Graeme
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[lvs-users] Reroute SYN packet when it could not be delivered to the backend [ In reply to ]
Hi,

I have a special use case for the Direct Routing (DR) mode.
Is there a possibility to reroute SYN packets, when they can not be
delivered to the backend? It could be easily detected by several SYN
packets being sent.

Here is how you can reproduce this situation:
1) configure ipvs with direct routing for two backends
2) run "while true; do curl vip; sleep 0.1; done" on some remote client
3) run tcpdump on the ipvs host
4) create a DROP iptables rule for the 80th port on the second backend
5) monitor multiple identical SYN requests on the ipvs host
6) monitor multiple identical SYN requests on the ipvs host, even when
you remove failed backend

My assumption was, that ipvs should redirect SYN packets, since there
is no established connection yet. Did I miss something?

I'd appreciate any help.

Regards

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Reroute SYN packet when it could not be delivered to the backend [ In reply to ]
On 13 Apr 2018, at 10:45, kay <kay.diam@gmail.com> wrote:
> I have a special use case for the Direct Routing (DR) mode.
> Is there a possibility to reroute SYN packets, when they can not be
> delivered to the backend? It could be easily detected by several SYN
> packets being sent.

Repeating the earlier answer:

You need an extra application to do this. There are several, but I’d suggest you look at keepalived as a first option.

There was much discussion many years ago (20 or so) about putting realserver/backend monitoring into IPVS, but it was felt at the time that this wasn’t a kernel function and should be handled by a userspace application. That still applies today.

Graeme
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Reroute SYN packet when it could not be delivered to the backend [ In reply to ]
Hi Graeme,

Actually this issue occurred within Keepalived with `per second` loop
delay_loop and 1 second TCP verification check, but since it uses IPVS
under the hood, I sent the question into this mail list.

What I found so far, is `secure_tcp` sysctl option:
http://www.linuxvirtualserver.org/docs/sysctl.html
I was hoping that it will help to reroute the SYN packet to the
different backend, but it doesn't happen.

Regards,

On Fri, Apr 13, 2018 at 1:34 PM, Graeme Fowler <graeme@graemef.net> wrote:
> On 13 Apr 2018, at 10:45, kay <kay.diam@gmail.com> wrote:
>> I have a special use case for the Direct Routing (DR) mode.
>> Is there a possibility to reroute SYN packets, when they can not be
>> delivered to the backend? It could be easily detected by several SYN
>> packets being sent.
>
> Repeating the earlier answer:
>
> You need an extra application to do this. There are several, but I’d suggest you look at keepalived as a first option.
>
> There was much discussion many years ago (20 or so) about putting realserver/backend monitoring into IPVS, but it was felt at the time that this wasn’t a kernel function and should be handled by a userspace application. That still applies today.
>
> Graeme
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users