From: Julian Anastasov <ja@ssi.bg>
To: Julius Volz <juliusv@google.com>
Cc: Joseph Mack NA3T <jmack@wm7d.net>,
lvs-devel@vger.kernel.org, netdev@vger.kernel.org,
j.stubbs@linkthink.co.jp
Subject: Re: Adding SNAT support to LVS/NAT
Date: Tue, 16 Sep 2008 01:56:31 +0300 (EEST) [thread overview]
Message-ID: <Pine.LNX.4.58.0809160103160.3009@u.domain.uli> (raw)
In-Reply-To: <f4845fc0809140747u63f6ad63m43877bbbf09c4778@mail.gmail.com>
Hello,
On Sun, 14 Sep 2008, Julius Volz wrote:
> > Thanks for the info! Right, I even said myself in the previous reply
> > that ip_vs_postrouting() stops further processing in the POSTROUTING
> > chain, so it never reaches netfilter NAT code.
>
> Actually, what if we modify or remove that function to allow further
> processing in POSTROUTING? Could SNAT work with IPVS then?
>
> The comment above it says that the function specifically wants to
> avoid further NAT by netfilter. But is this always a problem?
This check (now flag ipvs_property) was implemented to avoid
netfilter to modify packet which was already changed by IPVS.
What happened was that FTP commands (TCP header and payload) were
modified first by ip_vs_ftp and then by netfilter. The result:
packet with wrong SEQ number. Later, after some Netfilter
changes (2.6.11), TCP payload was modified always in POST_ROUTING
while address can be modified in PRE_ROUTING. Not sure what happens
now, Netfilter code was reorganized and new code review and tests
are needed, may be such double manipulation (if ipvs_property is
not set) still can cause problems.
Regards
--
Julian Anastasov <ja@ssi.bg>
prev parent reply other threads:[~2008-09-15 22:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-13 11:12 Adding SNAT support to LVS/NAT Julius Volz
2008-09-13 18:17 ` Joseph Mack NA3T
2008-09-13 18:55 ` Graeme Fowler
2008-09-13 18:58 ` Joseph Mack NA3T
2008-09-14 0:41 ` Julius Volz
2008-09-14 0:31 ` Julius Volz
2008-09-14 1:37 ` Joseph Mack NA3T
2008-09-14 10:39 ` Julius Volz
2008-09-14 14:47 ` Julius Volz
2008-09-14 15:14 ` Joseph Mack NA3T
2008-09-15 1:43 ` Simon Horman
2008-09-15 15:24 ` Joseph Mack NA3T
2008-09-16 1:31 ` Jason Stubbs
2008-09-16 1:54 ` Joseph Mack NA3T
2008-09-16 2:04 ` Jason Stubbs
2008-09-16 20:45 ` Julius Volz
2008-09-17 22:53 ` Joseph Mack NA3T
2008-09-18 8:38 ` Julius Volz
2008-09-15 22:56 ` Julian Anastasov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.58.0809160103160.3009@u.domain.uli \
--to=ja@ssi.bg \
--cc=j.stubbs@linkthink.co.jp \
--cc=jmack@wm7d.net \
--cc=juliusv@google.com \
--cc=lvs-devel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).