[Firehol-support] firehol with ipvs (lvs) and synporxy

Tsaousis, Costa costa at tsaousis.gr
Wed Feb 25 11:00:09 GMT 2015


Hi all,

I was trying to add IPVS (LVS) support to FireHOL.

IPVS is a load balancer in the kernel. It can be used for both TCP and
UDP traffic.

Load balancing servers can also be achieved with DNAT, like this:

dnat to 10.1.1.1-10.1.1.10 persistent inface wan0 proto tcp dport 80
dst PUBLIC_IP

This will load balance web servers 10.1.1.1 to 10.1.1.10 for all
tcp/80 traffic sent to PUBLIC_IP.

However, IPVS balancing has a few great features the DNAT method does not:

1. IPVS supports multiple algorithms for distributing traffic to real
servers. DNAT does not. IPVS not only balances load on the real
servers using multiple algorithms, but also supports balancing servers
using different weights for each.

2. IPVS can add or remove real servers to/from the load balancer
without restarting the firewall. So someone may add scripts to monitor
the real servers and if a server goes down, IPVS can be re-configured
to adapt. In the DNAT case, this is not possible. DNAT accepts only
one range of IPs. If a server in the middle of the range goes down,
DNAT balancing for the rest cannot be configured.

Unfortunately, IPVS has its own connection tracker and by default does
not cooperate with the iptables connection tracker. This can be fixed
by setting /proc/sys/net/ipv4/vs/conntrack to 1.Once this is set to 1,
iptables (and FireHOL) will be able to see the packets controlled by
IPVS and manage its traffic like everything else.

It is though said that enabling /proc/sys/net/ipv4/vs/conntrack wastes
resources, since now there will be 2 connection trackers monitoring
the traffic.

Also, IPVS cannot work with SYNPROXY. There seems to be a kernel patch
that enables this, but up to kernel 3.18, it does not seem to be
integrated in the kernel.

So, for IPVS to work with FireHOL there are 2 options:

1. Exclude all IPVS traffic from FireHOL. This can be done by adding a
few iptables commands at the top of firehol.conf with '-j CT
--notrack' (to disable the iptables connection tracker) and then
iptables commands to ACCEPT IPVS traffic in the filter.FORWARD chain.

This is the most efficient (less resource hungry) way.

or

2. set /proc/sys/net/ipv4/vs/conntrack to 1, and use FireHOL for filtering it.

This is the easiest and will not be a problem if you don't have
several Gbps of such traffic.

If you use IPVS and you have found any other way to work with it,
please let us know...

Costa



More information about the Firehol-support mailing list