IPVS traffic doesn't seem to go through netfilter on the director node

Question

I have the following setup on a director node running keepalived:

• native IP 10.65.5.72
• VIP 10.65.5.230
• keepalived DR mode enabled for port 80 and 443

I was debugging a problem where I couldn't access the IPVS service from the director node itself, and during that process noticed that tha IPVS traffic doesn't seem to go through netfilter. To verify, I set up the following rule in the raw table in iptables:

Chain PREROUTING (policy ACCEPT 143K packets, 133M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 MARK       all  --  *      *       10.65.5.72           10.65.5.230          MARK and 0xffffffff

and then I ran

nc -v -s 10.65.5.72 10.65.5.230 80

I expected the packet counter to increment, but it didn't.

If I change the port number in the nc command to anything other than 80 and 443, then the counter does increment.

Meanwhile, I did see the packet counter increment in the output of

ipvsadm -L -n --stats

when I ran the aforementioned nc command, which should indicate that there was a packet generated that got somewhere.

Is this the expected behavior of ipvs? From materials I found on the Internet it seems ipvs traffic should go through netfilter. What could be causing the behavior I'm seeing?

Answer 1

To answer my own question, as stated in http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html,

When the packet CIP->VIP arrives at the director it is put into the OUTPUT chain as a layer 2 packet with dest = MAC address of the realserver.

After adding the same rule to the OUTPUT chain, I do see packets hitting the rule now.