IPVS traffic doesn't seem to go through netfilter on the director node

0

I have the following setup on a director node running keepalived:

  • native IP 10.65.5.72
  • VIP 10.65.5.230
  • keepalived DR mode enabled for port 80 and 443

I was debugging a problem where I couldn't access the IPVS service from the director node itself, and during that process noticed that tha IPVS traffic doesn't seem to go through netfilter. To verify, I set up the following rule in the raw table in iptables:

Chain PREROUTING (policy ACCEPT 143K packets, 133M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 MARK       all  --  *      *       10.65.5.72           10.65.5.230          MARK and 0xffffffff

and then I ran

nc -v -s 10.65.5.72 10.65.5.230 80

I expected the packet counter to increment, but it didn't.

If I change the port number in the nc command to anything other than 80 and 443, then the counter does increment.

Meanwhile, I did see the packet counter increment in the output of

ipvsadm -L -n --stats

when I ran the aforementioned nc command, which should indicate that there was a packet generated that got somewhere.

Is this the expected behavior of ipvs? From materials I found on the Internet it seems ipvs traffic should go through netfilter. What could be causing the behavior I'm seeing?

iptables
ipvs
asked on Server Fault Mar 5, 2019 by Shimin Guo

1 Answer

0

To answer my own question, as stated in http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html,

When the packet CIP->VIP arrives at the director it is put into the OUTPUT chain as a layer 2 packet with dest = MAC address of the realserver.

After adding the same rule to the OUTPUT chain, I do see packets hitting the rule now.

answered on Server Fault Mar 15, 2019 by Shimin Guo

User contributions licensed under CC BY-SA 3.0