From: Wensong Zhang <wensong@linux-vs.org>
To: home_king <home_king@163.com>
Cc: Horms <horms@verge.net.au>,
netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
Julian Anastasov <ja@ssi.bg>, Joseph Mack NA3T <jmack@wm7d.net>
Subject: Re: [PATCH] [IPVS] transparent proxying
Date: Fri, 01 Dec 2006 23:41:37 +0800 [thread overview]
Message-ID: <45704D31.4070206@linux-vs.org> (raw)
In-Reply-To: <456E389E.7090809@163.com>
Hi Jinhua,
home_king wrote:
> hi, Wensong. Thanks for your appraise.
>
> > I see that this patch probably makes IPVS code a bit complicated and
> > packet traversing less efficiently.
>
> In my opinion, worry about the side-effect to the packet throughput is
> not
> necessary. First, normal packets with mark rarely appear in the
> NF_IP_FORWARD
> chain, while people mark packets aiming at the network administration job
> usually on the NF_IP_LOCAL_IN or NF_IP_OUTPUT chain. Second, the new
> hook fn
> is called after ipvs SNAT hook fn, and pass the packets handled by the
> latter
> hook fn by simply checking the ipvs_property flag, so it would not
> disturb the
> SNAT job. Third, the new hook fn is just a thin wrapper of ip_vs_in(),
> so now
> that all packets which go through NF_IP_LOCAL_IN will be entirely
> checked up
> by ip_vs_in(), no matter they are virtual-server relative or not, why
> we mind
> that a comparatively small quantity of packets which go through
> NF_IP_FORWARD
> will be checked too?
>
I see that every firewall-marked packet will be checked by ip_vs_in(),
no matter whether
the packet is related to IPVS or not. It's a bit less efficient.
> > If I remember correctly, policy-based routing can work with IPVS in
> > kernel 2.2 and 2.4 for transparent cache cluster for a long time. It
> > should work in kernel 2.6 too.
>
> Indeed, policy route can help too, but the patch provides a native
> manner to
> deploy transparent proxy, and meanwhile, this manner will not break the
> backbone networking context, such as policy routing setting, iptables
> rules,
> etc.
I am afraid that the method used in the patch is not native, it breaks
on IP fragments.
IPVS is a kind of layer-4 switching, it routes packet by checking
layer-4 information
such as address and port number. ip_vs_in() is hooked at NF_IP_LOCAL_IN, so
that all the packets received by ip_vs_in() are already defragmented. On
NF_IP_FORWARD
hook, there may be some IP fragements, ip_vs_in() cannot handle those IP
fragments.
I think that it's probably better to let each part do its own things in
the design.
Cheers,
Wensong
next prev parent reply other threads:[~2006-12-01 15:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-30 1:49 [PATCH] [IPVS] transparent proxying home_king
2006-12-01 15:41 ` Wensong Zhang [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-12-04 5:53 home_king
2006-12-04 17:20 ` Wensong Zhang
2006-11-29 6:21 Horms
2006-11-29 14:15 ` Thomas Graf
2006-11-29 14:46 ` Horms
2006-12-18 3:19 ` Horms
2006-12-18 14:17 ` Thomas Graf
2006-11-29 15:26 ` Wensong Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45704D31.4070206@linux-vs.org \
--to=wensong@linux-vs.org \
--cc=davem@davemloft.net \
--cc=home_king@163.com \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=jmack@wm7d.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.