netdev at bof
Dec 20, 2010, 12:43 PM
Is the following known / does a solution exist?
[lvs-users] ipvs does not sync DNATted or fwmarked connection state
I'm setting up two machines with kernel 22.214.171.124 as master/backup ipvs
directors, with keepalived checking real servers and implementing vrrp
Virtual service is for HTTP connections, using NAT method towards the
The basic setup has been working fine, with an exemplary set of three
virtual IPs balancing to some real servers, replicating connection state
(ipvsadm -ln counters increasing on the backup, -lc state visible
However, for the production setup, I have to implement roughly 200
different virtual IP addresses, all running onto the same (rather small)
set of real servers.
As is well known, doing that with the corresponding number of different
ipvs virtual services presents problems, as the real server state
(connection count) is kept for each individual virtual service,
resulting in suboptimal balancing.
As a solution to that, I have been testing two different approaches:
1) using fwmark, with --set-mark in the mangle table to mark the
incoming packets for the different virtual IPs, and an fwmark virtual
service set up as usual.
iptables -t mangle -A PREROUTING -m ... -j MARK --set-mark 80
ipvsadm -A -f 80 ...
2) using iptables DNAT in PREROUTING to rewrite the various virtual IPs
to specific (few) virtual IPs set up as ipvs services.
iptables -t nat -A PREROUTING -m ... -j DNAT --to-dest 10.0.0.1
ipvsadm -A -t 10.0.0.1:80 ...
Both approaches work fine WRT balancing, reaching the real servers, and
BUT: no connection state is synchronized, in either of the approaches.
The backup server does not show -ln counter increase, nor -lc
connections, when I test it.
I have even set up the fully working (normal) approach at the same time
as as 1) and/or 2), for different addresses, and the sync-to-backup is
working OK for the normal addresses, but not sending connection state
for stuff covered by approaches 1) or 2).
Any suggestions as to why this happens? Patches to apply? Good chance
2.6.37-rcX could work? More info needed?
Please read the documentation before posting - it's available at:
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users