IPVS traffic doesn't seem to go through netfilter on the director node


I have the following setup on a director node running keepalived:

  • native IP
  • VIP
  • keepalived DR mode enabled for port 80 and 443

I was debugging a problem where I couldn't access the IPVS service from the director node itself, and during that process noticed that tha IPVS traffic doesn't seem to go through netfilter. To verify, I set up the following rule in the raw table in iptables:

Chain PREROUTING (policy ACCEPT 143K packets, 133M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 MARK       all  --  *      *           MARK and 0xffffffff

and then I ran

nc -v -s 80

I expected the packet counter to increment, but it didn't.

If I change the port number in the nc command to anything other than 80 and 443, then the counter does increment.

Meanwhile, I did see the packet counter increment in the output of

ipvsadm -L -n --stats

when I ran the aforementioned nc command, which should indicate that there was a packet generated that got somewhere.

Is this the expected behavior of ipvs? From materials I found on the Internet it seems ipvs traffic should go through netfilter. What could be causing the behavior I'm seeing?

asked on Server Fault Mar 5, 2019 by Shimin Guo

1 Answer


To answer my own question, as stated in http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html,

When the packet CIP->VIP arrives at the director it is put into the OUTPUT chain as a layer 2 packet with dest = MAC address of the realserver.

After adding the same rule to the OUTPUT chain, I do see packets hitting the rule now.

answered on Server Fault Mar 15, 2019 by Shimin Guo

User contributions licensed under CC BY-SA 3.0