From: Jason Stubbs <jasonbstubbs@gmail.com>
To: Joseph Mack NA3T <jmack@wm7d.net>
Cc: LVS Devel <lvs-devel@vger.kernel.org>
Subject: Re: moving ipvs() to POST/PREROUTING
Date: Sat, 12 Apr 2008 00:15:41 +0900 [thread overview]
Message-ID: <200804120015.41545.jasonbstubbs@gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0804110729030.3476@wm7d.net>
On Friday 11 April 2008 23:38:30 JST, Joseph Mack NA3T wrote:
> On Fri, 11 Apr 2008, Jason Stubbs wrote:
> >>> Is there any problem with essentially hiding the real
> >>> servers from netfilter?
> >>
> >> I don't know what this means (I didn't know that netfilter
> >> knew about the realservers).
> >
> > I mean that it'd be nice for rules to go something like:
> > * Allow from external to VIP
> > * Allow anything established
> > * Drop everything else
> >
> > Depending on where LVS translations are placed in the netfilter path,
> > rules allowing traffic from external to RIPs may also be needed.
>
> I would hope people don't do this. RIPs should be private,
> for security reasons and to preserve the fiction that the
> LVS setup is one machine.
This is precisely why I chose the hooks that I did. My intention was for the
netfilter chains to only ever see the VIP, but packets with the RIP are going
through too after IP_VS_XMIT is called.
> The LVS'ed application running on the realserver might start a client
> process that needs to contact 0/0, but that can be nat'ed out, possibly
> through the VIP on the director, or maybe some other public IP available to
> the realserver. Is this what you want to do?
>
> see
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree
I didn't quite follow this. Are you referring to services such as FTP? Nothing
should have changed in this regard with my patch. The link did remind me that
I need to test the sync daemon with my patch though. :)
> I take it that you're working late at night on this :-)
Nope, I'm not that crazy. Just reading and responding to work emails from home
as per usual. ;)
--
Jason Stubbs
next prev parent reply other threads:[~2008-04-11 15:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-11 5:00 moving ipvs() to POST/PREROUTING Jason Stubbs
2008-04-11 12:37 ` Joseph Mack NA3T
2008-04-11 13:13 ` Jason Stubbs
2008-04-11 14:38 ` Joseph Mack NA3T
2008-04-11 15:15 ` Jason Stubbs [this message]
2008-04-11 16:14 ` Joseph Mack NA3T
2008-04-12 0:06 ` Jason Stubbs
2008-04-12 0:46 ` Joseph Mack NA3T
2008-04-12 9:07 ` Julian Anastasov
2008-04-12 12:59 ` Jason Stubbs
2008-04-14 11:04 ` Jason Stubbs
2008-04-14 23:16 ` Julian Anastasov
2008-04-15 7:17 ` Jason Stubbs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200804120015.41545.jasonbstubbs@gmail.com \
--to=jasonbstubbs@gmail.com \
--cc=jmack@wm7d.net \
--cc=lvs-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.