Yo! The basic premise was, that it would be helpful to have an iptables match to identify IPVS connections without exporting them to conntrack. It would allow to do firewalling on the LVS machine in a consistent manner.
At first I had trouble getting the conntrack entries to roughly match the ipvs connection table entries which involved tuning netfilter timers quite a bit. Now, a few days ago one of our LVS servers crashed and the failover took over as it should. However, since the LVS servers were also stateful firewalls using Julian's nfct patches, a problem occured. The sync daemons had synced the ipvs connection tables just fine, but even though exporting to conntrack had been enabled, the conntrack entries didn't appear on the failover machine. Thus, the firewall stopped all connections (as they weren't ESTABLISHED). Maybe it has something to do with the synced connections not being considered "active" as described by David Black a week ago? Or maybe it's just a side effect of sync daemon only syncing where it absolutely needs to (to optimize the amount of traffic). Whatever the case, I did what seems right and wrote the iptables match for IPVS connections. It's very basic (meant for using in the FORWARD chain for outgoing packets), but if anyone needs it, it's available at: http://p6drad-teel.net/~windo/release/pom-ipvs_match.tar.gz I tried to stick it into patch-o-matic format. It's been smoke-tested and seemes to work. I'd be grateful for any comments/improvements. Siim _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
