Hello, On Sun, 10 Nov 2013, Patrick Schaaf wrote: > Dear LVS developers, > > (sorry if this seems silly - I prefer asking around over getting bitten some > time down the road...) > > we run ipvs in LVS-NAT mode on two loadbalancers in an active/standby setup, > with ipvssync threads (and conntrackd) syncing state between the balancers. > This is running kernel 2.6.36 at the moment. > > Most of the ipvs services we run are fwmark based. Until now, we mark all > relevant packets. Now I had the idea, that it would be sufficient to only mark > --syn packets - potentially saving a number of iptables rule checks for the > more frequent case of non-syn packets. IIRC, fwmark is used by IPVS only for scheduling, it happens only when no existing connection is found. So, it looks safe to mark only SYN packets. Only for FTP we create connection on SYN+ACK. If you worry you can use CONNMARK to copy fwmark from netfilter conntrack to every non-SYN packet, it has a save+restore feature. > This seems to work for initial tests, but I am a bit worried whether it would > still work in a failover case, thus my question: > > Upon takeover on the standby balancer, will new, UNmarked frames of existing > connections, be properly matched up to previously synced state, so that these > connections continue to work? In other words, is the IP header information > (IP/port four-tuple) sufficient for connection pickup, and independant of the > fwmark value on the packets? The fwmark was not present in the sync messages. This was changed with version 1 of the IPVS sync protocol, may be in 2.6.39. It allows to find the right real server from the parameters in the sync message when creating connection in backup server. Once the connection is created and its real server is assigned, the fwmark is not used anymore. May be you'll be also interested to check some recent changes that avoid the sync protocol: http://www.spinics.net/lists/lvs-devel/msg03067.html They are based on using SH scheduler and a new sloppy_tcp flag that allows backup server to create conns from non-SYN packets. I don't know if they are suitable for your setup, for example, the SH scheduler requires equal IPVS rules (order of dests in virtual server) in master and backup to guarantee a working failover. commit c6c96c188336b2b95d5f14facd101f1e4165a9d3 Author: Alexander Frolkin <avf@xxxxxxxxxxxxxx> Date: Thu Jun 13 08:56:15 2013 +0100 ipvs: sloppy TCP and SCTP This adds support for sloppy TCP and SCTP modes to IPVS. When enabled (sysctls net.ipv4.vs.sloppy_tcp and net.ipv4.vs.sloppy_sctp), allows IPVS to create connection state on any packet, not just a TCP SYN (or SCTP INIT). This allows connections to fail over from one IPVS director to another mid-flight. commit eba3b5a78799d21dea05118b294524958f0ab592 Author: Alexander Frolkin <avf@xxxxxxxxxxxxxx> Date: Wed Jun 19 10:54:25 2013 +0100 ipvs: SH fallback and L4 hashing commit 4d0c875dcc4923476f364e83912d134da2df224c Author: Julian Anastasov <ja@xxxxxx> Date: Mon Jun 24 22:44:41 2013 +0300 ipvs: add sync_persist_mode flag Add sync_persist_mode flag to reduce sync traffic by syncing only persistent templates. Regards -- Julian Anastasov <ja@xxxxxx> -- To unsubscribe from this list: send the line "unsubscribe lvs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
