On Fri, Sep 11, 2015 at 12:24 PM, Julian Anastasov <ja@xxxxxx> wrote: > We can use "ipvs" here. I remember people used > matching by src MAC to solve such problem for DR. For TUN > fwmark or match by input device can work too. In all cases, > a fwmark-based service is needed... Yeha, to be honest, this approach isn't my ideal. We've had a much nastier version of this patch (that adds a field to skbuff...) for a long time, and this was just a less awful way of doing this. The problem for us is that moving the whole of our load balancing to fwmark-based pools is a giant nightmare. On top of the obvious stuff (redeploying the userspace element to our load balancers), we'd also need to find a way to prevent conflict between that and our firewalls. It was more engineering than I had time for, sadly. Other ideas I had to address this: * Add some mechanism wherein certain fwmark's are ignored * Add an iptables target that sets ipvs_property=1 I'm also totally open to ideas cheers, -- Alex Gartrell <agartrell@xxxxxx> -- To unsubscribe from this list: send the line "unsubscribe lvs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
