2011/3/4 Julian Anastasov <[email protected]>: > I now remember that IP_VS_DBG_PKT uses these > new pr_debug macros, so you can enable the debugging by > adding > #define DEBUG > as first line in net/netfilter/ipvs/ip_vs_proto.c > then recompile and we can see how the packets look. > We must be sure that the right traffic reaches LOCAL_OUT.
Hi, Since I reboot srv2 (which was OK), the SNAT rule don't work any more ! I'm going to try the same with srv1 '(which was KO), perhaps it's his turn to SNAT now ? First, I add some trace to iptables : iptables -t nat -I PREROUTING -p tcp -m tcp --dport 389 -j LOG --log-prefix "nat/PREROUTING : " iptables -t nat -I POSTROUTING -m ipvs --vaddr 10.1.1.254 -j LOG --log-prefix "ipvs/POSTROUTING : " iptables -t nat -I POSTROUTING -p tcp -m tcp --dport 389 -j LOG --log-prefix "nat/POSTROUTING : " iptables -t nat -I INPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix "nat/INPUT : " iptables -t nat -I OUTPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix "nat/OUTPUT : " iptables -I INPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix "filter/INPUT : " iptables -I FORWARD -p tcp -m tcp --dport 389 -j LOG --log-prefix "filter/FORWARD : " iptables -I OUTPUT -p tcp -m tcp --dport 389 -j LOG --log-prefix "filter/OUTPUT : " Then generate some kernel traces with a ldapsearch request from client : echo 99 > /proc/sys/net/ipv4/vs/debug_level ... Mar 7 15:13:12 srv2 kernel: nat/PREROUTING : IN=virbr1 OUT= MAC=fe:54:10:01:01:01:52:54:10:01:01:31:08:00 SRC=10.1.1.31 DST=10.1.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 7 15:13:12 srv2 kernel: filter/INPUT : IN=virbr1 OUT= MAC=fe:54:10:01:01:01:52:54:10:01:01:31:08:00 SRC=10.1.1.31 DST=10.1.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 7 15:13:12 srv2 kernel: nat/INPUT : IN=virbr1 OUT= MAC=fe:54:10:01:01:01:52:54:10:01:01:31:08:00 SRC=10.1.1.31 DST=10.1.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 7 15:13:12 srv2 kernel: IPVS: lookup/in TCP 10.1.1.31:43100->10.1.1.254:389 not hit Mar 7 15:13:12 srv2 kernel: IPVS: lookup/out TCP 10.1.1.31:43100->10.1.1.254:389 not hit Mar 7 15:13:12 srv2 kernel: IPVS: lookup service: fwm 0 TCP 10.1.1.254:389 hit Mar 7 15:13:12 srv2 kernel: IPVS: ip_vs_wlc_schedule(): Scheduling... Mar 7 15:13:12 srv2 kernel: IPVS: WLC: server 10.1.12.11:389 activeconns 0 refcnt 1 weight 100 overhead 0 Mar 7 15:13:12 srv2 kernel: IPVS: Bind-dest TCP c:10.1.1.31:43100 v:10.1.1.254:389 d:10.1.12.11:389 fwd:M s:0 conn->flags:100 conn->refcnt:1 dest->refcnt:2 Mar 7 15:13:12 srv2 kernel: IPVS: Schedule fwd:M c:10.1.1.31:43100 v:10.1.1.254:389 d:10.1.12.11:389 conn->flags:140 conn->refcnt:2 Mar 7 15:13:12 srv2 kernel: IPVS: Incoming packet: TCP 10.1.1.31:43100->10.1.1.254:389 Mar 7 15:13:12 srv2 kernel: IPVS: TCP input [S...] 10.1.12.11:389->10.1.1.31:43100 state: NONE->SYN_RECV conn->refcnt:2 Mar 7 15:13:12 srv2 kernel: IPVS: Enter: ip_vs_nat_xmit, net/netfilter/ipvs/ip_vs_xmit.c line 394 Mar 7 15:13:12 srv2 kernel: IPVS: After DNAT: TCP 10.1.1.31:43100->10.1.12.11:389 Mar 7 15:13:12 srv2 kernel: filter/OUTPUT : IN= OUT=tun12 SRC=10.1.1.31 DST=10.1.12.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26700 DF PROTO=TCP SPT=43100 DPT=389 WINDOW=5840 RES=0x00 SYN URGP=0 Mar 7 15:13:12 srv2 kernel: IPVS: Leave: ip_vs_nat_xmit, net/netfilter/ipvs/ip_vs_xmit.c line 448 ... So, iptables is traversal by packets but POSTROUTING seems to be skipped... What shall I do, to make iptables SNAT "always" reached ?! Thx for any suggestion. -- Ivan Listen http://youkounkoun-radio.com ! _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
