I have the following setup on a director node running keepalived:
I was debugging a problem where I couldn't access the IPVS service from the director node itself, and during that process noticed that tha IPVS traffic doesn't seem to go through netfilter. To verify, I set up the following rule in the raw table in iptables:
Chain PREROUTING (policy ACCEPT 143K packets, 133M bytes) pkts bytes target prot opt in out source destination 1 60 MARK all -- * * 10.65.5.72 10.65.5.230 MARK and 0xffffffff
and then I ran
nc -v -s 10.65.5.72 10.65.5.230 80
I expected the packet counter to increment, but it didn't.
If I change the port number in the nc command to anything other than 80 and 443, then the counter does increment.
Meanwhile, I did see the packet counter increment in the output of
ipvsadm -L -n --stats
when I ran the aforementioned nc command, which should indicate that there was a packet generated that got somewhere.
Is this the expected behavior of ipvs? From materials I found on the Internet it seems ipvs traffic should go through netfilter. What could be causing the behavior I'm seeing?
To answer my own question, as stated in http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html,
When the packet CIP->VIP arrives at the director it is put into the OUTPUT chain as a layer 2 packet with dest = MAC address of the realserver.
After adding the same rule to the OUTPUT chain, I do see packets hitting the rule now.
User contributions licensed under CC BY-SA 3.0