LVS + SNAT: VIP and RIP not in the same subnet not working

Bug #1641918 reported by Marco van Putten on 2016-11-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keepalived (Ubuntu)
Undecided
Unassigned

Bug Description

When using keepalived/ipvsadm/LVS as a loadbalancer and iptables to SNAT. Traffic gets lost when the VIP address and the REAL servers are not in the same subnet/VLAN.

When I turn on logging for iptables you can see the package coming in but nothing happens.
---
Nov 15 06:25:08 lb1 kernel: [922014.361577] IN= OUT=eth0 SRC=192.168.1.100 DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44987 DF PROTO=TCP SPT=58504 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
---

This works running Ubuntu 14.04 or 12.04 but on Ubuntu 16.04 it stopped working.

---

In /etc/sysctl.conf I have included:
net.ipv4.ip_forward=1
net.ipv4.vs.conntrack = 1
net.ipv4.vs.snat_reroute = 1

-----
# lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

# apt-cache policy keepalived
keepalived:
  Installed: 1:1.2.19-1
  Candidate: 1:1.2.19-1
  Version table:
 *** 1:1.2.19-1 500
        500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

# apt-cache policy iptables
iptables:
  Installed: 1.6.0-2ubuntu3
  Candidate: 1.6.0-2ubuntu3
  Version table:
 *** 1.6.0-2ubuntu3 500
        500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

# apt-cache policy ipvsadm
ipvsadm:
  Installed: 1:1.28-3
  Candidate: 1:1.28-3
  Version table:
 *** 1:1.28-3 500
        500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

-----

This is the iptables config:
iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.10.10 -m ipvs --ipvs --vaddr 192.168.9.5 --vport 80 --vmethod masq -j SNAT --to-source 192.168.9.4
iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.10.11 -m ipvs --ipvs --vaddr 192.168.9.5 --vport 80 --vmethod masq -j SNAT --to-source 192.168.9.4

This is the keepalived config:
vrrp_instance vapp1 {
    state EQUAL
    interface eth0
    virtual_router_id 100
    priority 100
    advert_int 1
    smtp_alert
    authentication {
        auth_type PASS
        auth_pass vapp1
    }
    virtual_ipaddress {
        192.168.9.5/24 brd 192.168.9.255 dev eth0
    }
}

virtual_server 192.168.9.5 80 {
    delay_loop 6
    lb_algo wlc
    lb_kind NAT
    persistence_timeout 3600
    protocol TCP

    real_server 192.168.10.10 80 {
        weight 100
        TCP_CHECK {
            connect_timeout 5
        }
    }
    real_server 192.168.10.11 80 {
        weight 100
        TCP_CHECK {
            connect_timeout 5
        }
    }
}

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1641918/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
affects: ubuntu → keepalived (Ubuntu)
Joshua Powers (powersj) on 2016-11-16
Changed in keepalived (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers