Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
Julian Anastasov wrote: If icmp_send is changed to use inet_addr_type() then ICMP will leave with saddr != VIP and that is not nice. ... I'm not familiar with the IPVS terms, but as far as I understand, it is _not_ going to return RTN_LOCAL, so we get the desired behaviour of selecting a local address as source. But what is preferred is to use VIP in ICMP. ip route add local VIP dev lo table user_defined returns RTCF_LOCAL but inet_addr_type() does not return RTN_LOCAL, we fix one thing but break another :) Well, I have promissed you to give some feedback after I test the patch proposed by Patrick, but after Julian's post I can only confirm that it works exactly as Julian said, what is not what I would expect. Julian, thank you for your detailed explanation of the issue, I have nothing more to add. Janusz - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
Simon Horman wrote: On Mon, May 14, 2007 at 07:41:48PM +0200, Patrick McHardy wrote: So you're adding a local route for non-local destination and the address selection in icmp_send() uses the original destination address as source because the route has RTCF_LOCAL set, resulting in an error in ip_route_output_slow(). I'm not entirely sure that adding a local route is the right terminology, but then again, perhaps I'm missunderstanding exactly what that means. What I do exactly is: ip rule add prio 1000 fwmark $IF_MARK_LVS lookup lvs ip route replace table lvs local default dev lo My undersanding of the problem is that IPVS likes to send icmp to notify end-users when real-servers are down. Yes, there is one such place in IPVS code too, inside ip_vs_leave(), used for notifying clients on service overload. The source ip of such icmp is the VIP, that is the IP address associated with the virtual service. However, it is quite valid for this VIP not to be configured on the machine that is running IPVS. Thus the machine in question wants to send icmp packets with a non-local source address. http://archive.linuxvirtualserver.org/html/lvs-users/2007-01/msg00109.html If thats correct than this patch should also work, it changes icmp_send() to check if the original destination address is non-local when deciding whether to pick a new address (and reverts the routing changes). I think that your patch looks good, assuming that inet_addr_type(VIP) is going to return RTN_LOCAL (except in the unlikely case that VIP is multicast or something silly like that. For now, I have no place other than my production firewall cluster to verify this patch. I will do it as soon as possible and give you some feedback. However, I wonder if efficiency or safety reasons it might be better for IPVS to pass some sort of OK_ITS_SUPPSED_TO_BE_NON_LOCAL flag into ip_route(). Do you mean packets that are passed through ip_vs_in()?. If not, please remember that current IPVS code does not send any ICMP port unreachable messages except for this rare overload case. I still have no idea how to solve more common problem of notifying clients on dead real server inside the IPVS code itself, to avoid my complicated tricks of marking based on connection tracking. On the other hand, I have to state that even if I can now send notifications to clients using my method, this does not solve my real problem of broken ipsec connections going through LVS director. Openswan clients I use do not care about ICMP port unreachable messages an insist on using connections that are invalid due to switched real server. So maybe we should first verify if there are any real cases when notifying udp clients with ICMP port unreachable may be realy usefull and then decide if we do need this functionality. Janusz P.S. Simon, sorry for duplicated message. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
David Miller wrote: From: Patrick McHardy [EMAIL PROTECTED] Date: Mon, 14 May 2007 12:21:34 +0200 This allows any user to send spoofed packets when ip_nonlocal_bind is set, which is a quite big change in behaviour of this option. The TPROXY patches include a similar change, but use a flag in struct flowi that requires CAP_NET_ADMIN to be set, which seems like a better idea. Alternatively you could just use input routing for non-local source addresses like ip_route_me_harder does. Good point. BTW, there doesn't even seem to be a spot where IPVS calls ip_route_output with the source address set. What exactly is this needed for? I suppose he has a patch to make use of it, but was waiting for this route.c change to go in first. If you mean me, the answer is no, I do not have any patch making use of the change in question. What I have is rather a complicated method of notifying udp clients on communication problems before they are redirected to a new real server. My method needs some IPVS related patches, but ICMP port unreachable messages are not generated inside IPVS code, they are just sent, with help of the patch in question, from udp_input() or netfilter REJECT. It was my first intention to patch IPVS to send these messages, but I found no simple way to implement this in the current IPVS code. Janusz - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed
Patrick McHardy wrote: Janusz Krzysztofik wrote: ... ICMP port unreachable messages are not generated inside IPVS code, they are just sent, with help of the patch in question, from udp_input() or netfilter REJECT. Both use icmp_send(), which should always pick a local source, so I don't understand why this change was needed. Could you describe the specific case when the packet generated by icmp_send() does not have a local source? Yes, it happens when a packet with a non-local destination IP address is routed localy in order to reach ip_vs_in(), but is not catched there because of no associated connection and no matching service, so it is passed through and ends up in udp_input(). Then, inside udp_input(), icmp_send() is invoked with original non-local destination IP as source address. Again, all this is my own method, usnig special packet marking, of notifying clients of dead real servers, that is not possible with pure LVS methods. More details can be found several paragraphs below http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#F5_snat header. Janusz - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] LVS: Send ICMP unreachable responses to end-users when real-servers are removed
David Miller wrote: this is a small patch by Janusz Krzysztofik to ip_route_output_slow() that allows VIP-less LVS linux director to generate packets originating From VIP if sysctl_ip_nonlocal_bind is set. Applied to net-2.6.22, thanks Simon. Thank you, Janusz - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html