All of lore.kernel.org
 help / color / mirror / Atom feed
* Load Balancers and conn_track
@ 2005-04-13 11:47 Mohamed Eldesoky
  2005-04-13 23:59 ` Taylor Grant
  0 siblings, 1 reply; 2+ messages in thread
From: Mohamed Eldesoky @ 2005-04-13 11:47 UTC (permalink / raw)
  To: netfilter

If I have two servers (say web servers) located behind a layer4
switch, that act as a load balancer.
server1 and server2 have the IPs (say) 1.2.3.4 & 1.2.3.5
and the load balancer is  1.2.3.6
Of course the DNS of the sites will point to 1.2.3.6 and clients from
outside will see this.
Now, will conntrack understand that the replies from 1.2.3.4 are
really established connections that were destined for 1.2.3.6 ??

If not, any tips ?


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Load Balancers and conn_track
  2005-04-13 11:47 Load Balancers and conn_track Mohamed Eldesoky
@ 2005-04-13 23:59 ` Taylor Grant
  0 siblings, 0 replies; 2+ messages in thread
From: Taylor Grant @ 2005-04-13 23:59 UTC (permalink / raw)
  To: Mohamed Eldesoky; +Cc: netfilter

> If I have two servers (say web servers) located behind a layer4
> switch, that act as a load balancer.
> server1 and server2 have the IPs (say) 1.2.3.4 & 1.2.3.5
> and the load balancer is  1.2.3.6
> Of course the DNS of the sites will point to 1.2.3.6 and clients from
> outside will see this.
> Now, will conntrack understand that the replies from 1.2.3.4 are
> really established connections that were destined for 1.2.3.6 ??

On which system (1.2.3.4, 1.2.3.5, or 1.2.3.6) are you asking if conntrack will see the replies as ESTABLISHED?  I'm personally not familiar with load balancers at all.  When the traffic comes in to 1.2.3.4 or 1.2.3.5 do they see the destination as 1.2.3.6 or do they see the destination as themselves, 1.2.3.4 / 1.2.3.5 respectively?  Does the load balancer do any DNATing or SNATing of traffic?  I would be tempted to say that your servers 1.2.3.4 and 1.2.3.5 should only worry about traffic coming in to them selves and make sure that the load balancer is sending packets to the various servers statefully.

Or, are you asking what will conntrack on a firewall that is SNATing at a client's location sending data to 1.2.3.6 think when packets come back from something other than 1.2.3.6?  If this is the case I think this could break a LOT of things.  In that case conntrack will not recognize the traffic as ESTABLISHED b/c the source IP will be different than the destination IP that the traffic was going out to.

See if you can't explain your scenario a little bit better and I'll see if I can't help you any more then.



Grant. . . .


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-13 23:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-13 11:47 Load Balancers and conn_track Mohamed Eldesoky
2005-04-13 23:59 ` Taylor Grant

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.