9033 – ipvsadm doesn't work with masquerading.

Bug 9033 - ipvsadm doesn't work with masquerading.

Summary: ipvsadm doesn't work with masquerading.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	piranha
Sub Component:
Version:	6.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Phil Copeland
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	9032 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-02-01 02:28 UTC by Bobby Moore
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-03-22 17:48:51 UTC
Embargoed:

Attachments	(Terms of Use)

Description Red Hat Bugzilla 2000-02-01 02:28:46 UTC

I set up a virtual server using ipvsadm, with the 'masq' parm. I also set
up a 'forward' chain to masquerade the packets going through the virtual
server. The packets don't get masqueraded. Part of the setup included:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

Also, /etc/sysconfig/network is...

NETWORKING=yes
FORWARD_IPV4=yes
DEFRAG_IPV4=yes
HOSTNAME=hcom1.worldspan.com
GATEWAY=172.17.1.250

ipvsadm shows...

[root@hcom1 sysconfig]# ipvsadm
IP Virtual Server version 0.8.3 (size=4096)
Protocol LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port    Forward Weight ActiveConn InActConn
TCP 172.17.206.209:1023 wlc
      -> 10.1.51.152:1350      Masq    2      0          0

My ipchains are...

[root@hcom1 sysconfig]# ipchains -L forward
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
MASQ       tcp  ------  172.17.206.0/24      anywhere
1024:65535 ->   any
MASQ       udp  ------  172.17.206.0/24      anywhere
1024:65535 ->   any

My internet client's ip is 172.17.206.91, and it connects to
172.17.206.209:1023 (s-172.17.206.91 d-172.17.206.209:1023).

When the packet is forwarded and arrives at my 'real' server the source
address in the packet STILL IS 172.17.206.91 (s-172.17.206.91
d-10.1.51.152:1350).  The virtual server correctly forwarded the packet but
didn't masquerade it!

I had to cancel a DEMO of Red Hat Linux Virtual Server with my company.
This doesn't look good. Will you make this a high priority?

Thanks for your help!

Bobby Moore
Project Engineer
WORLDSPAN
bobby.moore

Comment 1 Red Hat Bugzilla 2000-02-01 16:09:59 UTC

*** Bug 9032 has been marked as a duplicate of this bug. ***

Comment 2 Red Hat Bugzilla 2000-02-09 18:41:59 UTC

What I need is the capability to masquerade the source address of a packet
destined for a real server, using ipchains. The problem is that any inbound
packets from a client to real servers are bypassing the FORWARD chain, going
from the INPUT chain to LVS to the OUTPUT chain. Masquerading the source
address of the packet, as well as the destination packet (done by LVS) is what
I need.

Comment 3 Red Hat Bugzilla 2000-03-22 17:45:59 UTC

I have exchanged email with custmoer on several occassions. He also has
subscribed to the LVS mailing list and now has a greater understanding of LVS
and MASQ than when this problem was first logged.

Customer has agreed that this bug report can be closed.

Comment 4 Red Hat Bugzilla 2000-03-22 17:54:59 UTC

Here is the last email exchange:

> MASQ works for me from an 'inside-to-outside network' perspective. That's
> because traffic from real servers to the outside go through the 'forward'
> chain of ipchains, while traffic from the outside to real servers doesn't.
> I've learned allot during this experiment. Thanks for your feedback.
>
> Go ahead and close the bug report. Thanks.
>
> Bobby Moore Worldspan
> Phone: 770.563.7362 Fax: 770.563.6406
> bobby.moore

Note You need to log in before you can comment on or make changes to this bug.