Using redirect to disable ARP

Jump to: navigation, search


The redirect feature of iptables/ipchains is to redirect the traversing packets to a local socket.

If the specified redirection port is 0, which is the default value, the destination port of a packet will be used as the redirection port. When this target is used, an optional extra argument (the port number) can be supplied.

Disable ARP for VIP

For LVS/DR clusters, Horms suggested a very cute redirect approach to get around the arp problem.

I have been able to get around this problem by removing the interface alias on the real servers and setting up a redirect, using ipchains of the form:
ipchains -A input -j REDIRECT <port> -d <virtual-ip-address> <port> -p <protocol>
This has the down side that the real servers essentially have to be Linux boxes to support this feature but it has the up side that the Linux Director can easily be moved to any machine on the LAN as it does not have to have an interface on a network other than the LAN. This has important implications in being able to fail over the Linux Director in a case of failure.

For running multiple virtual services on a single VIP, you can specify multiple redirect commands for different ports, or you don't supply a port number so the comands could cover all ports in one hit per protocol as follows:

ipchains -A input -j REDIRECT -d <VIP> -p tcp
ipchains -A input -j REDIRECT -d <VIP> -p udp

For LVS/TUN clusters, you can simply configure tunl0 up so that the system can decapsulate ipip packets properly, then add the REDIRECT commands for VIPs.

For iptables in the Linux kernel 2.4/2.6, you can use it as follows:

iptables -t nat -A PREROUTING -p tcp -d <VIP> --dport <vport> -j REDIRECT --to-port <vport>