Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux Virtual Server: Users

[lvs-users] [PATCH v2 0/4] IPVS full NAT support + netfilter 'ipvs' match support

  

 
Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded


heder at google

Sep 29, 2009, 5:35 AM

Post #1 of 4 (825 views)
Permalink
[lvs-users] [PATCH v2 0/4] IPVS full NAT support + netfilter 'ipvs' match support
The following series implements full NAT support for IPVS. The
approach is via a minimal change to IPVS (make friends with
nf_conntrack) and adding a netfilter matcher, kernel- and user-space
part, i.e. xt_ipvs and libxt_ipvs.

Example usage:

% ipvsadm -A -t 192.168.100.30:80 -s rr
% ipvsadm -a -t 192.168.100.30:80 -r 192.168.10.20:80 -m
# ...

# Source NAT for VIP 192.168.100.30:80
% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> --vport 80 -j SNAT --to-source 192.168.10.10

or SNAT-ing only a specific real server:

% iptables -t nat -A POSTROUTING --dst 192.168.11.20 \
> -m ipvs --vaddr 192.168.100.30/32 -j SNAT --to-source 192.168.10.10


First of all, thanks for all the feedback. This is the changelog for v2:

- Make ip_vs_ftp work again. Setup nf_conntrack expectations for
related data connections (based on Julian's patch see
http://www.ssi.bg/~ja/nfct/) and let nf_conntrack/nf_nat do the
packet mangling and the TCP sequence adjusting.

This change rises the question how to deal with ip_vs_sync? Does it
work together with conntrackd? Wild idea: what about getting rid of
ip_vs_sync and piggy packing all on nf_conntrack and use conntrackd?

Any comments on this?

- xt_ipvs: add new rule '--vportctl port' to match the VIP port of the
controlling connection, e.g. port 21 for FTP. Can be used to match
a related data connection for FTP:

# SNAT FTP control connection
% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> --vport 21 -j SNAT --to-source 192.168.10.10

# SNAT FTP passive data connection
% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> --vportctl 21 -j SNAT --to-source 192.168.10.10

- xt_ipvs: use 'par->family' instead of 'skb->protocol'

- xt_ipvs: add ipvs_mt_check and restrict to NFPROTO_IPV4 and NFPROTO_IPV6

- Call nf_conntrack_alter_reply(), so helper lookup is performed based
on the changed tuple.

Changes to the linux kernel (rebased to next-20090925):

Hannes Eder (3):
netfilter: xt_ipvs (netfilter matcher for IPVS)
IPVS: make friends with nf_conntrack
IPVS: make FTP work with full NAT support


include/linux/netfilter/xt_ipvs.h | 25 +++++
include/net/ip_vs.h | 2
net/netfilter/Kconfig | 9 ++
net/netfilter/Makefile | 1
net/netfilter/ipvs/Kconfig | 4 -
net/netfilter/ipvs/ip_vs_app.c | 43 ---------
net/netfilter/ipvs/ip_vs_core.c | 37 -------
net/netfilter/ipvs/ip_vs_ftp.c | 178 ++++++++++++++++++++++++++++++++---
net/netfilter/ipvs/ip_vs_proto.c | 1
net/netfilter/ipvs/ip_vs_xmit.c | 30 ++++++
net/netfilter/xt_ipvs.c | 187 +++++++++++++++++++++++++++++++++++++
11 files changed, 418 insertions(+), 99 deletions(-)
create mode 100644 include/linux/netfilter/xt_ipvs.h
create mode 100644 net/netfilter/xt_ipvs.c


Changes to iptables (relative to 1.4.5):

Hannes Eder (1):
libxt_ipvs: user-space lib for netfilter matcher xt_ipvs

configure.ac | 11 +
extensions/libxt_ipvs.c | 365 +++++++++++++++++++++++++++++++++++++
extensions/libxt_ipvs.man | 24 ++
include/linux/netfilter/xt_ipvs.h | 25 +++
4 files changed, 422 insertions(+), 3 deletions(-)
create mode 100644 extensions/libxt_ipvs.c
create mode 100644 extensions/libxt_ipvs.man
create mode 100644 include/linux/netfilter/xt_ipvs.h

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


horms at verge

Sep 29, 2009, 7:51 AM

Post #2 of 4 (785 views)
Permalink
Re: [lvs-users] [PATCH v2 0/4] IPVS full NAT support + netfilter 'ipvs' match support [In reply to]
On Tue, Sep 29, 2009 at 02:35:15PM +0200, Hannes Eder wrote:
> The following series implements full NAT support for IPVS. The
> approach is via a minimal change to IPVS (make friends with
> nf_conntrack) and adding a netfilter matcher, kernel- and user-space
> part, i.e. xt_ipvs and libxt_ipvs.

Its a bit late in the day for me to review the code, but I have a few
quick comments.

>
> Example usage:
>
> % ipvsadm -A -t 192.168.100.30:80 -s rr
> % ipvsadm -a -t 192.168.100.30:80 -r 192.168.10.20:80 -m
> # ...
>
> # Source NAT for VIP 192.168.100.30:80
> % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> > --vport 80 -j SNAT --to-source 192.168.10.10
>
> or SNAT-ing only a specific real server:
>
> % iptables -t nat -A POSTROUTING --dst 192.168.11.20 \
> > -m ipvs --vaddr 192.168.100.30/32 -j SNAT --to-source 192.168.10.10

If the iptables rule is not in place does LVS just use
its old NAT behaviour?

> First of all, thanks for all the feedback. This is the changelog for v2:
>
> - Make ip_vs_ftp work again. Setup nf_conntrack expectations for
> related data connections (based on Julian's patch see
> http://www.ssi.bg/~ja/nfct/) and let nf_conntrack/nf_nat do the
> packet mangling and the TCP sequence adjusting.
>
> This change rises the question how to deal with ip_vs_sync? Does it
> work together with conntrackd? Wild idea: what about getting rid of
> ip_vs_sync and piggy packing all on nf_conntrack and use conntrackd?
>
> Any comments on this?

That sounds like a reasonable suggestion.

I think that ip_vs_sync came along before conntrackd
and no one has given much thought to merging the functionality.

> - xt_ipvs: add new rule '--vportctl port' to match the VIP port of the
> controlling connection, e.g. port 21 for FTP. Can be used to match
> a related data connection for FTP:
>
> # SNAT FTP control connection
> % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> > --vport 21 -j SNAT --to-source 192.168.10.10
>
> # SNAT FTP passive data connection
> % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> > --vportctl 21 -j SNAT --to-source 192.168.10.10
>
> - xt_ipvs: use 'par->family' instead of 'skb->protocol'
>
> - xt_ipvs: add ipvs_mt_check and restrict to NFPROTO_IPV4 and NFPROTO_IPV6
>
> - Call nf_conntrack_alter_reply(), so helper lookup is performed based
> on the changed tuple.
>
> Changes to the linux kernel (rebased to next-20090925):
>
> Hannes Eder (3):
> netfilter: xt_ipvs (netfilter matcher for IPVS)
> IPVS: make friends with nf_conntrack
> IPVS: make FTP work with full NAT support
>
>
> include/linux/netfilter/xt_ipvs.h | 25 +++++
> include/net/ip_vs.h | 2
> net/netfilter/Kconfig | 9 ++
> net/netfilter/Makefile | 1
> net/netfilter/ipvs/Kconfig | 4 -
> net/netfilter/ipvs/ip_vs_app.c | 43 ---------
> net/netfilter/ipvs/ip_vs_core.c | 37 -------
> net/netfilter/ipvs/ip_vs_ftp.c | 178 ++++++++++++++++++++++++++++++++---
> net/netfilter/ipvs/ip_vs_proto.c | 1
> net/netfilter/ipvs/ip_vs_xmit.c | 30 ++++++
> net/netfilter/xt_ipvs.c | 187 +++++++++++++++++++++++++++++++++++++
> 11 files changed, 418 insertions(+), 99 deletions(-)
> create mode 100644 include/linux/netfilter/xt_ipvs.h
> create mode 100644 net/netfilter/xt_ipvs.c
>
>
> Changes to iptables (relative to 1.4.5):
>
> Hannes Eder (1):
> libxt_ipvs: user-space lib for netfilter matcher xt_ipvs
>
> configure.ac | 11 +
> extensions/libxt_ipvs.c | 365 +++++++++++++++++++++++++++++++++++++
> extensions/libxt_ipvs.man | 24 ++
> include/linux/netfilter/xt_ipvs.h | 25 +++
> 4 files changed, 422 insertions(+), 3 deletions(-)
> create mode 100644 extensions/libxt_ipvs.c
> create mode 100644 extensions/libxt_ipvs.man
> create mode 100644 include/linux/netfilter/xt_ipvs.h

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


heder at google

Sep 29, 2009, 8:07 AM

Post #3 of 4 (768 views)
Permalink
Re: [lvs-users] [PATCH v2 0/4] IPVS full NAT support + netfilter 'ipvs' match support [In reply to]
On Tue, Sep 29, 2009 at 16:51, Simon Horman <horms [at] verge> wrote:
> On Tue, Sep 29, 2009 at 02:35:15PM +0200, Hannes Eder wrote:
>> The following series implements full NAT support for IPVS.  The
>> approach is via a minimal change to IPVS (make friends with
>> nf_conntrack) and adding a netfilter matcher, kernel- and user-space
>> part, i.e. xt_ipvs and libxt_ipvs.
>
> Its a bit late in the day for me to review the code, but I have a few
> quick comments.
>
>>
>> Example usage:
>>
>> % ipvsadm -A -t 192.168.100.30:80 -s rr
>> % ipvsadm -a -t 192.168.100.30:80 -r 192.168.10.20:80 -m
>> # ...
>>
>> # Source NAT for VIP 192.168.100.30:80
>> % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
>> > --vport 80 -j SNAT --to-source 192.168.10.10
>>
>> or SNAT-ing only a specific real server:
>>
>> % iptables -t nat -A POSTROUTING --dst 192.168.11.20 \
>> > -m ipvs --vaddr 192.168.100.30/32 -j SNAT --to-source 192.168.10.10
>
> If the iptables rule is not in place does LVS just use
> its old NAT behaviour?

Yes, without iptables rules LVS NAT does DNAT.

>> First of all, thanks for all the feedback.  This is the changelog for v2:
>>
>> - Make ip_vs_ftp work again.  Setup nf_conntrack expectations for
>>   related data connections (based on Julian's patch see
>>   http://www.ssi.bg/~ja/nfct/) and let nf_conntrack/nf_nat do the
>>   packet mangling and the TCP sequence adjusting.
>>
>>   This change rises the question how to deal with ip_vs_sync?  Does it
>>   work together with conntrackd?  Wild idea: what about getting rid of
>>   ip_vs_sync and piggy packing all on nf_conntrack and use conntrackd?
>>
>>   Any comments on this?
>
>    That sounds like a reasonable suggestion.
>
>    I think that ip_vs_sync came along before conntrackd
>    and no one has given much thought to merging the functionality.

Okay, I'll dig further in this direction.

Cheers,
-Hannes

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


horms at verge

Sep 29, 2009, 4:18 PM

Post #4 of 4 (763 views)
Permalink
Re: [lvs-users] [PATCH v2 0/4] IPVS full NAT support + netfilter 'ipvs' match support [In reply to]
On Tue, Sep 29, 2009 at 05:07:24PM +0200, Hannes Eder wrote:
> On Tue, Sep 29, 2009 at 16:51, Simon Horman <horms [at] verge> wrote:
> > On Tue, Sep 29, 2009 at 02:35:15PM +0200, Hannes Eder wrote:
> >> The following series implements full NAT support for IPVS.  The
> >> approach is via a minimal change to IPVS (make friends with
> >> nf_conntrack) and adding a netfilter matcher, kernel- and user-space
> >> part, i.e. xt_ipvs and libxt_ipvs.
> >
> > Its a bit late in the day for me to review the code, but I have a few
> > quick comments.
> >
> >>
> >> Example usage:
> >>
> >> % ipvsadm -A -t 192.168.100.30:80 -s rr
> >> % ipvsadm -a -t 192.168.100.30:80 -r 192.168.10.20:80 -m
> >> # ...
> >>
> >> # Source NAT for VIP 192.168.100.30:80
> >> % iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
> >> > --vport 80 -j SNAT --to-source 192.168.10.10
> >>
> >> or SNAT-ing only a specific real server:
> >>
> >> % iptables -t nat -A POSTROUTING --dst 192.168.11.20 \
> >> > -m ipvs --vaddr 192.168.100.30/32 -j SNAT --to-source 192.168.10.10
> >
> > If the iptables rule is not in place does LVS just use
> > its old NAT behaviour?
>
> Yes, without iptables rules LVS NAT does DNAT.

Great.

> >> First of all, thanks for all the feedback.  This is the changelog for v2:
> >>
> >> - Make ip_vs_ftp work again.  Setup nf_conntrack expectations for
> >>   related data connections (based on Julian's patch see
> >>   http://www.ssi.bg/~ja/nfct/) and let nf_conntrack/nf_nat do the
> >>   packet mangling and the TCP sequence adjusting.
> >>
> >>   This change rises the question how to deal with ip_vs_sync?  Does it
> >>   work together with conntrackd?  Wild idea: what about getting rid of
> >>   ip_vs_sync and piggy packing all on nf_conntrack and use conntrackd?
> >>
> >>   Any comments on this?
> >
> >    That sounds like a reasonable suggestion.
> >
> >    I think that ip_vs_sync came along before conntrackd
> >    and no one has given much thought to merging the functionality.
>
> Okay, I'll dig further in this direction.

Assuming the technical side is clean, I suspect the major problem will be
how to migrate users away from ip_vs_sync.

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.