Index: trunk/lvs/debian/config/etc/ha.d/ldirectord.cf =================================================================== --- trunk/lvs/debian/config/etc/ha.d/ldirectord.cf (revision 1183) +++ trunk/lvs/debian/config/etc/ha.d/ldirectord.cf (revision 1184) @@ -5,203 +5,33 @@ quiescent=no -virtual=18.181.0.46:25 +# iptables rules caused SMTP to use FWM 3 +virtual=3 real=18.181.0.53:25 gate 1024 real=18.181.0.57:25 gate 1024 real=18.181.0.167:25 gate 512 - fallback=18.187.1.128:25 gate service=smtp scheduler=wlc persistent=600 - protocol=tcp + protocol=fwm checktype=negotiate + checkport=25 -virtual=18.181.0.46:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" +# Apache (80, 443, and 444) uses FWM 2 +virtual=2 + real=18.181.0.53 gate 1024 + real=18.181.0.57 gate 1024 + real=18.181.0.167 gate 512 + fallback=127.0.0.1 gate + service=http + request="heartbeat/http" virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate + receive="1" + checktype=negotiate + checkport=80 + scheduler=wlc + persistent=600 + protocol=fwm -virtual=18.181.0.46:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.46:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:25 - real=18.181.0.53:25 gate 1024 - real=18.181.0.57:25 gate 1024 - real=18.181.0.167:25 gate 512 - fallback=18.187.1.128:25 gate - service=smtp - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.43:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:25 - real=18.181.0.53:25 gate 1024 - real=18.181.0.57:25 gate 1024 - real=18.181.0.167:25 gate 512 - fallback=18.187.1.128:25 gate - service=smtp - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.50:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.49:80 - real=18.181.0.53:80 gate 1024 - real=18.181.0.57:80 gate 1024 - real=18.181.0.167:80 gate 512 - fallback=127.0.0.1:80 gate - service=http - request="heartbeat/http" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.49:443 - real=18.181.0.53:443 gate 1024 - real=18.181.0.57:443 gate 1024 - real=18.181.0.167:443 gate 512 - fallback=18.187.1.128:443 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - -virtual=18.181.0.49:444 - real=18.181.0.53:444 gate 1024 - real=18.181.0.57:444 gate 1024 - real=18.181.0.167:444 gate 512 - fallback=18.187.1.128:444 gate - service=https - request="heartbeat/https" - virtualhost="scripts.mit.edu" - receive="1" - scheduler=wlc - persistent=600 - protocol=tcp - checktype=negotiate - +# Everything else uses FWM 1 and gets sent only to the primary virtual=1 real=18.181.0.53 gate "heartbeat/services", "1" Index: trunk/lvs/debian/config/etc/network/if-up.d/iptables =================================================================== --- trunk/lvs/debian/config/etc/network/if-up.d/iptables (revision 1183) +++ trunk/lvs/debian/config/etc/network/if-up.d/iptables (revision 1184) @@ -1,21 +1,27 @@ #!/bin/sh ## Joe Presbrey +## Quentin Smith ## SIPB Scripts LVS Firewall marks iptables -F -t mangle +# Create a table for regular scripts hosts +iptables -t mangle -N scripts 2>/dev/null || : + +# scripts-vhosts.mit.edu +iptables -A PREROUTING -t mangle -d 18.181.0.46 -j scripts # scripts.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.46/31 --dports 25,80,443,444 -j MARK --set-mark 2 -iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.46/31 -j MARK --set-mark 1 +iptables -A PREROUTING -t mangle -d 18.181.0.43 -j scripts +# scripts-cert.mit.edu +iptables -A PREROUTING -t mangle -d 18.181.0.50 -j scripts -# scripts-new.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.43 --dports 25,80,443,444 -j MARK --set-mark 2 -iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.43 -j MARK --set-mark 1 +# Send Apache-bound traffic to FWM 2 (load-balanced) +iptables -A scripts -t mangle -m tcp -m multiport -p tcp --dports 80,443,444 -j MARK --set-mark 2 +# Send SMTP-bound traffic to FWM 3 (load-balanced) +iptables -A scripts -t mangle -m tcp -p tcp --dport 25 -j MARK --set-mark 3 +# Send everything else to FWM 1 (primary) +iptables -A scripts -t mangle -m mark --mark 0 -j MARK --set-mark 1 -# scripts-cert.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.50/31 --dports 25,80,443,444 -j MARK --set-mark 2 -iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.50/31 -j MARK --set-mark 1 - -# webzephyr.mit.edu -iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443 -j MARK --set-mark 2 +# webzephyr.mit.edu is special because its SMTP needs to always go to the primary (FWM 1) +iptables -A PREROUTING -t mangle -m tcp -m multiport -p tcp -d 18.181.0.49 --dports 80,443,444 -j MARK --set-mark 2 iptables -A PREROUTING -t mangle -m mark --mark 0 -d 18.181.0.49 -j MARK --set-mark 1