Hello, On Mon, 26 Nov 2001, Greg Scott wrote: > Maybe this also applies to the problem I have been fighting for the last > several weeks. I have a VPN situation that requires a Linux router/firewall > to route packets back out the same interface on which they came in. You need symmetric routes and rp_filter is one of the solutions. If the problem involves tunnels then rp_filter can cause problems in some situations. > Julian, I saw this quote in the website you mentioned: > > By default, the Linux kernels drop packets with local source address from > the forward path as "source martians". This is not controlled from the > rp_filter flags. The following patches try to relax this rule and to allow > the LVS director to be used as (default) gateway from real servers that send > packets with VIP source, i.e. when the same IP is configured on the LVS > director. > > > What does this mean? Is this quote telling me that Linux kernels drop > packets when their routes to the next hop go out the same interface on which > they came in? No, this is situation where the clusters have hosts that have same (shared) IP configured. The internal hosts have IP that is also configured on their gateway. The patch(es) you mention try to relax the strict rule in the kernel not to allow packet with saddr=local_ip to be considered at all (forwarded or delivered locally). We still drop packets that are locally destined and contain local IP in saddr but we allow such evil packets to be forwarded (forward_shared flag). In short, this is a setup where the LVS director is a gateway for Direct-Route method (you have to read our docs), something similar to NAT topology but without NAT processing, possible only for specific kind of packets, i.e. when the port allocation is not a problem (virtual servers). But you have to explain your problem with more details or may be to show me some URLs if it is explained somewhere. > thanks > > - Greg Scott Regards -- Julian Anastasov <ja@xxxxxx>
