[nf-failover] Re: [RFC] ct_sync 0.15 (corrected)
KOVACS Krisztian
hidden at balabit.hu
Tue Sep 28 16:56:46 CEST 2004
Hi,
2004-09-28, k keltezéssel 16:46-kor Henrik Nordstrom ezt írta:
> Any controlled division of the tuple address space would solve the
> NAT problem.
>
> I would use IP addresses in this scheme.. it is very nice to have NAT as
> non-intrusive as possible preserving what can be preserved of the original
> tuple.
Definitely. However, I don't see how it would be possible to use
MASQUERADE and a single public IP in this case. If you use the complete
reply tuple and some hash function to avoid two nodes using the same
reply tuple that would be a bit more capable. (Similar to that Jamal is
saying: the unique tuple allocation code would take care of allocating a
tuple whose hash value the node "owns". This part would be really
similar to ClusterIP.)
> There remains some delicate thinking on how to manage the traffic flows in
> a sane manner to make sure the correct traffic is forwarded by the correct
> node, considering failovers, recoveries etc.
Yes, of course. Full re-sync would be a somewhat more complicated
problem as well. But if we maintain some per-conntrack mark indicating
which node "owns" that entry, then even full re-sync could be
implemented quite easily: each node dumps all entries it is responsible
for. The protocol itself should be extended as well, we would need
per-node sequence numbers and per-node recovery requests.
--
Regards,
Krisztian KOVACS
More information about the netfilter-devel
mailing list