LVS-NAT and source routing

Patrick McHardy kaber at trash.net
Tue Aug 29 11:06:37 CEST 2006 

Horms wrote:
> Hi,
> 
> sorry that this is a little off-topic, but I'm hoping for some
> advice in relation to a problem with LVS.
> 
> When LVS-NAT is in use (basically load-balancing using DNAT)
> then the return packets need to honour any source routing rules
> on the linux-director (machine runing LVS). If you think it as
> if the packets originate from the linux-director then this makes
> sense (if you think about it other ways it doesn't, but I'm pretty
> convinced that this is the right way to think about it.
> 
> A long time ago Ken Brownfield sent a patch that resolves this problem
> by using an old variant of ip_route_me_harder() in ip_vs_out(),
> the return patch for LVS-NATed packets.
> 
> http://archive.linuxvirtualserver.org/html/lvs-users/2006-03/msg00106.html
> 
> I ported this to net-2.6.19 this afternoon, and it seems to
> fall out to a call to ip_route_me_harder() . (Nevermind the skb = *pskb,
> I'd like to clean that up, but its a separate issue.)
> 
> I spoke breifly with Dave Miller about whether calling
> ip_route_me_harder() was apprpriate here. His answer was yes, but try
> and call it as infrequently as possible as it is expensive. He pointed
> me at nf_ip_reroute() and how this is used to minimise calls to
> ip_route_me_harder(). However I'm not entirely sure if that techinque is
> applicable to LVS, as the need for ip_route_me_harder() seems to be
> based on the presance of applicable source routing rules and nothing
> else. So here I am.
> 

> + 	/* For policy routing, packets originating from this
> + 	 * machine itself may be routed differently to packets
> + 	 * passing through.  We want this packet to be routed as
> + 	 * if it came from this machine itself.  So re-compute
> + 	 * the routing information.


ip_route_me_harder is meant for the opposite case, rerouting locally
originating packets as if they were forwarded (if the source is
non-local). For your case just calling ip_route_output_key should be
faster since it saves the inet_addr_type call. I think nf_ip_reroute
doesn't help much since you always seem to change the source address,
but you could make the whole thing depend on CONFIG_IP_MULTIPLE_TABLES.

More information about the netfilter-devel mailing list