From: Julian Anastasov <ja@ssi.bg>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] RTNETLINK answers: File exists
Date: Mon, 26 Nov 2001 19:18:02 +0000 [thread overview]
Message-ID: <marc-lartc-100680197130472@msgid-missing> (raw)
In-Reply-To: <marc-lartc-100679899116747@msgid-missing>
Hello,
On Mon, 26 Nov 2001, Greg Scott wrote:
> Maybe this also applies to the problem I have been fighting for the last
> several weeks. I have a VPN situation that requires a Linux router/firewall
> to route packets back out the same interface on which they came in.
You need symmetric routes and rp_filter is one of the
solutions. If the problem involves tunnels then rp_filter can cause
problems in some situations.
> Julian, I saw this quote in the website you mentioned:
>
> By default, the Linux kernels drop packets with local source address from
> the forward path as "source martians". This is not controlled from the
> rp_filter flags. The following patches try to relax this rule and to allow
> the LVS director to be used as (default) gateway from real servers that send
> packets with VIP source, i.e. when the same IP is configured on the LVS
> director.
>
>
> What does this mean? Is this quote telling me that Linux kernels drop
> packets when their routes to the next hop go out the same interface on which
> they came in?
No, this is situation where the clusters have hosts that have
same (shared) IP configured. The internal hosts have IP that is also
configured on their gateway. The patch(es) you mention try to relax the
strict rule in the kernel not to allow packet with saddr=local_ip to be
considered at all (forwarded or delivered locally). We still drop packets
that are locally destined and contain local IP in saddr but we allow
such evil packets to be forwarded (forward_shared flag). In short,
this is a setup where the LVS director is a gateway for Direct-Route
method (you have to read our docs), something similar to NAT topology
but without NAT processing, possible only for specific kind of packets,
i.e. when the port allocation is not a problem (virtual servers).
But you have to explain your problem with more details or
may be to show me some URLs if it is explained somewhere.
> thanks
>
> - Greg Scott
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
next prev parent reply other threads:[~2001-11-26 19:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-11-26 18:22 [LARTC] RTNETLINK answers: File exists Whit Blauvelt
2001-11-26 18:50 ` Julian Anastasov
2001-11-26 18:56 ` Greg Scott
2001-11-26 19:18 ` Julian Anastasov [this message]
2001-11-27 0:51 ` Whit Blauvelt
2001-11-27 1:01 ` Whit Blauvelt
2001-11-27 1:12 ` Whit Blauvelt
2001-11-27 10:46 ` Julian Anastasov
2005-06-10 15:07 ` Dariusz Dwornikowski
2005-06-11 2:37 ` gypsy
2005-06-11 9:41 ` Dariusz Dwornikowski
2005-06-11 10:11 ` Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-100680197130472@msgid-missing \
--to=ja@ssi.bg \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.