Mastering Linux Virtual Server (LVS): Solutions, Types, and ipvsadm Commands

Common Load‑Balancing Solutions

Hardware load balancers include F5 BIG‑IP, Citrix Netscaler, A10, Array and Redware.

Linux LVS (Linux Virtual Server) was created by Zhang Wensong (alias Duan Zhengming). It operates within the netfilter framework as the ipvs kernel module and works on the INPUT chain to forward packets to the POST‑ROUTING chain.

Key concepts:

Service definition: an IP address and port pair is defined as an LVS service; ipvsadm (user‑space) is used to manage rules, while ipvs (kernel‑space) performs forwarding.

LVS works at Layer 4 (transport layer), forwarding based only on IP and port without inspecting application data.

Because LVS operates only at Layer 4, finer‑grained control (e.g., session persistence) is often handled by HAProxy or Nginx.

LVS Types

1. NAT (dNAT)

Client → VIP (performs destination NAT to a real server) → Real Server (RIP) → response back via Director (DIP). NAT requires private addresses for real servers, the gateway of each real server must point to the director, and all traffic passes through the director, which can become a bottleneck.

2. Direct Routing (DR)

Requests are sent directly to the real server’s MAC address; the director only handles the incoming request. ARP handling must be configured (static MAC binding, arptables, or kernel parameters). The director’s failure does not affect response traffic.

3. TUN (IP‑in‑IP)

Encapsulates the original IP packet inside another IP packet. All three addresses (VIP, DIP, RIP) must be public. The response never passes through the director and port mapping is not supported.

4. FULLNAT

Both source and destination IPs are rewritten; requires kernel patches to allow cross‑VLAN address translation.

LVS Scheduling Algorithms

Static methods : Round Robin (rr), Weighted RR (wrr), source hashing (sh), destination hashing (dh).

Dynamic methods : Least Connection (lc), Weighted LC (wlc), Shortest Expected Delay (sed), Nerver Queue (nq), Locality‑based Least Connection (lblc), Replicated & Locality‑based LC (lblcr).

ipvsadm Usage

Typical command syntax:

ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timeout]] [-M netmask]

ipvsadm -D -t|u|f service-address

ipvsadm -C

ipvsadm -R

ipvsadm -S [-n]

ipvsadm -a|e -t|u|f service-address -r server-address [-g|i|m] [-w weight] [-x upper] [-y lower]

ipvsadm -d -t|u|f service-address -r server-address

ipvsadm -L|l [options]

Adding a real server:

ipvsadm -a -t 192.168.98.128:80 -r 172.25.136.11:80 -m -w 1

Saving and restoring rules:

ipvsadm-save   # or ipvsadm -S

ipvsadm-restore   # or ipvsadm -R

Example: LVS NAT Model Implementation

Topology: one Director with two NICs, two real servers (RS1, RS2).

# Director NICs
eth0 192.168.98.133/24
eth1 172.25.136.10/24
eth0:1 192.168.98.128/24 (VIP)

# RS1
eth0 172.25.136.11/24

# RS2
eth0 172.25.136.12/24

Configure routing and enable forwarding: # echo 1 > /proc/sys/net/ipv4/ip_forward Create test pages on each real server and start the web service, then add the virtual service on the director:

# ipvsadm -A -t 192.168.98.128:80 -s wlc
# ipvsadm -a -t 192.168.98.128:80 -r 172.25.136.11:80 -m -w 1
# ipvsadm -a -t 192.168.98.128:80 -r 172.25.136.12:80 -m -w 3

After several client accesses, statistics show the weighted round‑robin (wlc) distribution (e.g., 3:1 ratio).

LVS DR Model with Public Addresses

All three addresses (DIP, VIP, RIP) are placed in the same physical network. The director’s VIP is configured on a loopback alias, and each real server hides the VIP on its loopback interface while disabling ARP announcements and replies:

# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
# ifconfig lo:1 192.168.98.128 netmask 255.255.255.255 broadcast 192.168.98.128

Routing entries ensure traffic uses the loopback VIP as the source address before leaving the real server.

Persistent Connections (Session Affinity)

PCC : All requests from the same client to a VIP are directed to the same real server (source‑hash).

PPC : All requests from a client to a specific VIP and port are directed to the same real server.

PFMC : Port‑based affinity using firewall marks to bind multiple ports to a single service.

Example of switching to source‑hash for PCC:

# ipvsadm -E -t 192.168.98.128:80 -s sh