* connlimit and LVS
[not found] <f3204f9a04082400405a81100c@mail.gmail.com>
@ 2004-08-24 22:31 ` Stuart Clark
2004-08-25 19:25 ` Jose Maria Lopez
0 siblings, 1 reply; 2+ messages in thread
From: Stuart Clark @ 2004-08-24 22:31 UTC (permalink / raw)
To: netfilter
Hi there..
I have a LVS setup with two directors direct routing to 4 real
servers. I have been trying to use the 'connlimit' patch from
Netfilter patch-o-matic on the director to restrict the number of
concurrent connections coming into the VIP. I have not been able to
get it working with the PREROUTING or FORWARD tables, and was
wondering if is due to LVS that connlimit can not seem to track
connections?
I have tried this on kernel 2.4.27/ipvs1.0.11 and kernel 2.6.7/ipvs1.2
using the patch-o-matic from CVS at www.netfilter-org. I can see that
connections directed at the director IP are being detected with
connlimit, but connections passing through the VIP to the real servers
are not.
iptables -t nat -I PREROUTING -p tcp --syn --dport 25 -m connlimit
--connlimit-above 2 --connlimit-mask 24 -j LOG --log-level info
--log-prefix " 2+ SMTP connections "
Any ideas how this can be made to work on the directors?
Kind regards, Stuart.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: connlimit and LVS
2004-08-24 22:31 ` connlimit and LVS Stuart Clark
@ 2004-08-25 19:25 ` Jose Maria Lopez
0 siblings, 0 replies; 2+ messages in thread
From: Jose Maria Lopez @ 2004-08-25 19:25 UTC (permalink / raw)
To: netfilter@lists.netfilter.org
El mié, 25 de 08 de 2004 a las 00:31, Stuart Clark escribió:
> Hi there..
>
> I have a LVS setup with two directors direct routing to 4 real
> servers. I have been trying to use the 'connlimit' patch from
> Netfilter patch-o-matic on the director to restrict the number of
> concurrent connections coming into the VIP. I have not been able to
> get it working with the PREROUTING or FORWARD tables, and was
> wondering if is due to LVS that connlimit can not seem to track
> connections?
>
Maybe the problem is that you are using direct routing, that it's a
hack to redirect the traffic directly to the routers without passing
through the firewall. I don't really know which tables the traffic
passes through when using direct routing, it should be in the LVS
documentation.
Maybe you would have more luck using the iproute2 system to limit the
traffic using advanced routing or QOS.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-08-25 19:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <f3204f9a04082400405a81100c@mail.gmail.com>
2004-08-24 22:31 ` connlimit and LVS Stuart Clark
2004-08-25 19:25 ` Jose Maria Lopez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.