[nf-failover] Re: [RFC] ct_sync 0.15 (corrected)

KOVACS Krisztian hidden at balabit.hu
Tue Sep 28 14:57:32 CEST 2004


  Hi,

2004-09-28, k keltezéssel 14:35-kor Henrik Nordstrom ezt írta:
> > The problem could be circumvented if we statically partitioned the
> > address space between the nodes in the cluster. Unfortunately this is
> > not so simple as it sounds, since it is possible to have untranslated
> > connections using the possibly clasing tuples as well... (Maybe we could
> > apply implicit SNAT translations in this case?)
> 
> I think for the active-active case the only viable setup is to enforce 
> strict address separation, with the addresses used for NAT not used for 
> anything else, and unique per firewall in the active-active cluster.
> 
> This is not as bad as it sounds as the traffic needs to be partitioned as 
> well. We certainly do not want to see assymetric flows in conntrack where 
> traffic goes out via one gateway and returns on another.

  There are other solutions for that problem, for example Harald's
ClusterIP code. If we could integrate that with ct_sync we would be able
to do multi-master packet filter clusters without any load balancers
before the cluster. If the NAT core would be integrated with ClusterIP's
hash to avoid conntrack clashes we could do this without statically
assigning different NAT addresses to each node.

-- 
 Regards,
   Krisztian KOVACS




More information about the netfilter-devel mailing list