On Monday 2011-01-17 11:55, Giles Coochey wrote:
>>
>> You should do all of the NAT-ing ON THE LOAD BALANCER:
>>
>
>I have to agree - if you are doing NAT you want to avoid any type of asymmetric
>routing - especially you NEED to make sure that the device that is doing the
>NAT (be it for load balancing or other reasons) receives the return packets.
Not strictly. You could utilize a second device whose CTs are synchronized
with the LB to apply the reverse transform, using conntrackd.
Sort of like
digraph { internet -> lb; lb -> web; web -> unnat; unnat -> internet; };
but it only looks feasible to me if your LB is already computationally
crowded.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
