How does the mode fullnat work in detail and is implemented?

How does the mode fullnat work in detail and is implemented?

[Stefan Bauer]

Dear developers,

how does the mode fullnat work and how is it implemented?

I see there are patches at http://kb.linuxvirtualserver.org/images/a/a5/Lvs-fullnat-synproxy.tar.gz for the kernel.

How is this mode triggered in userland? I see there are patches for ipvsadm as well. Additionally to this, do i have to set a SNAT-rule with iptables?

It would be nice to get some informations on this - there arent many informations out there about the deeper details.

Thank you in advance.

Stefan Bauer

Re: How does the mode fullnat work in detail and is implemented?

[Simon Horman]

On Sat, Feb 02, 2013 at 10:12:41AM +0100, Stefan Bauer wrote:
> Dear developers,
> 
> how does the mode fullnat work and how is it implemented?
> 
> I see there are patches at http://kb.linuxvirtualserver.org/images/a/a5/Lvs-fullnat-synproxy.tar.gz for the kernel.

I do not believe that is the code that was merged into the kernel.
Full-nat for IPVS was included in the 2.6.35 kernel and I do not
details of how to configure it have changed since.

> How is this mode triggered in userland? I see there are patches for
> ipvsadm as well. Additionally to this, do i have to set a SNAT-rule with
> iptables?
> 
> It would be nice to get some informations on this - there arent many
> informations out there about the deeper details.

My recollection is as follows:

FULL-NAT is implemented by using the existing LVS-NAT (DNAT) implementation
plus an IPVS helper module for iptables which allows it to handle SNAT
of connections which are handled by IPVS.

The code changes where:
* IPVS (kernel)
* New iptables IPVS module (kernel)
* New iptables IPVS module (user-space)

There is some description of how this may be configured at
http://old.nabble.com/-lvs-users---PATCH-v2-0-4--IPVS-full-NAT-support-%2B-netfilter-'ipvs'-match-support-tc25663214.html
and
http://blog.loadbalancer.org/enabling-snat-in-lvs-xt_ipvs-and-iptables/

I have cut and pasted a portion of the first link below:

% ipvsadm -A -t 192.168.100.30:80 -s rr 
% ipvsadm -a -t 192.168.100.30:80 -r 192.168.10.20:80 -m 
# ... 

# Source NAT for VIP 192.168.100.30:80 
% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
  --vport 80 -j SNAT --to-source 192.168.10.10

or SNAT-ing only a specific real server:

% iptables -t nat -A POSTROUTING --dst 192.168.11.20 \
  -m ipvs --vaddr 192.168.100.30/32 -j SNAT --to-source 192.168.10.10

AW: How does the mode fullnat work in detail and is implemented?

[Stefan Bauer]

-----Ursprüngliche Nachricht-----
Von:	Simon Horman <horms@verge.net.au>
Gesendet:	Di 05.02.2013 02:26
Betreff:	Re: How does the mode fullnat work in detail and is implemented?
An:	Stefan Bauer <stefan.bauer@cubewerk.de>; 
CC:	lvs-devel@vger.kernel.org; 
> On Sat, Feb 02, 2013 at 10:12:41AM +0100, Stefan Bauer wrote:
> > Dear developers,
> > 
> > how does the mode fullnat work and how is it implemented?
> > 
> > I see there are patches at 
> http://kb.linuxvirtualserver.org/images/a/a5/Lvs-fullnat-synproxy.tar.gz for 
> the kernel.
> 
> I do not believe that is the code that was merged into the kernel.
> Full-nat for IPVS was included in the 2.6.35 kernel and I do not
> details of how to configure it have changed since.

Hi Simon,

I'm more than happy to get this informations. thank you. So the initial patches are not used in the mainline kernel hence can be seen as obsolete. Also the patches for ipvsadm are useless as its used with the regular NAT mode.

thank you again.

Stefan

Re: How does the mode fullnat work in detail and is implemented?

[Simon Horman]

On Tue, Feb 05, 2013 at 09:15:43AM +0100, Stefan Bauer wrote:
> -----Ursprüngliche Nachricht-----
> Von:	Simon Horman <horms@verge.net.au>
> Gesendet:	Di 05.02.2013 02:26
> Betreff:	Re: How does the mode fullnat work in detail and is implemented?
> An:	Stefan Bauer <stefan.bauer@cubewerk.de>; 
> CC:	lvs-devel@vger.kernel.org; 
> > On Sat, Feb 02, 2013 at 10:12:41AM +0100, Stefan Bauer wrote:
> > > Dear developers,
> > > 
> > > how does the mode fullnat work and how is it implemented?
> > > 
> > > I see there are patches at 
> > http://kb.linuxvirtualserver.org/images/a/a5/Lvs-fullnat-synproxy.tar.gz for 
> > the kernel.
> > 
> > I do not believe that is the code that was merged into the kernel.
> > Full-nat for IPVS was included in the 2.6.35 kernel and I do not
> > details of how to configure it have changed since.
> 
> Hi Simon,
> 
> I'm more than happy to get this informations. thank you. So the initial patches are not used in the mainline kernel hence can be seen as obsolete. Also the patches for ipvsadm are useless as its used with the regular NAT mode.

Yes, AFIC that is correct.

AW: How does the mode fullnat work in detail and is implemented?

[Stefan Bauer]

-----Ursprüngliche Nachricht-----
Von:	Simon Horman <horms@verge.net.au>
> > I'm more than happy to get this informations. thank you. So the initial 
> patches are not used in the mainline kernel hence can be seen as obsolete. Also 
> the patches for ipvsadm are useless as its used with the regular NAT mode.
> 
> Yes, AFIC that is correct.

And through full-nat, the IPVS does not have to be the default gw in local network anymore correct?

Furthermore, the IPVS itself can also host on the same machine a real-server right?

Thank you.

Stefan

AW: How does the mode fullnat work in detail and is implemented?

[Stefan Bauer]

Simon,

one question remains for me:

Why is this netfilter module required for ipvs for fullnat if i could just setup a SNAT rule?

thank you very much.

Cheers

Stefan