fib-2215pre9-1.diff This is a patch (2.2.15pre9) that allows real servers to use the director as gateway in LVS VS/DR and VS/TUN mode. It must be applied in the Director. We try to control via /prot/sys/net/ipv4/conf//rp_filter whether the packets with saddr=local_ip and daddr=non_local_ip will be forwarded or dropped as martians. Currently, they are unconditionally dropped from the kernel which is not very good. Packets with saddr=local_ip1 and daddr=local_ip2 are dropped (this is not changed). Two NICs are required: one for the external net and one for the internal net (with the real servers). It is not working with one NIC. This is my first attempt to break the routing, so don't try this patch in production without testing nor if your firewall is not set up correctly. After applying this patch it is recommended that */rp_filter must be 1. rp_filter must be 0 only for the internal device, i.e. where the real servers reside. By this way we allow the real servers to send packets with saddr=VIP and daddr=client through the Director. Of course, you can use the default values (*/rp_filter=0) for the test. If this patch is applied and external_eth/rp_filter is 0 (which is the default) the real servers can receive packets with saddr=any_director_ip and dst=any_RIP_or_VIP which is not very good. So, rp_filter=1 on the external net must be used for better security. Note: - the kernel defaults to */rp_filter=0 which is not good for the security but the drawback is that the internal hosts can be fooled that they talk with the default gateway (the patched router). This can be solved by changing the rp_filter values. But the good firewall can solve all these problems. Julian Anastasov