[nf-failover] Re: [RFC] ct_sync 0.15 (corrected)

KOVACS Krisztian hidden at balabit.hu
Tue Sep 28 16:56:46 CEST 2004


2004-09-28, k keltezéssel 16:46-kor Henrik Nordstrom ezt írta:
> Any controlled division of the tuple address space would solve the 
> NAT problem.
> I would use IP addresses in this scheme.. it is very nice to have NAT as 
> non-intrusive as possible preserving what can be preserved of the original 
> tuple.

  Definitely. However, I don't see how it would be possible to use
MASQUERADE and a single public IP in this case. If you use the complete
reply tuple and some hash function to avoid two nodes using the same
reply tuple that would be a bit more capable. (Similar to that Jamal is
saying: the unique tuple allocation code would take care of allocating a
tuple whose hash value the node "owns". This part would be really
similar to ClusterIP.)

> There remains some delicate thinking on how to manage the traffic flows in 
> a sane manner to make sure the correct traffic is forwarded by the correct 
> node, considering failovers, recoveries etc.

  Yes, of course. Full re-sync would be a somewhat more complicated
problem as well. But if we maintain some per-conntrack mark indicating
which node "owns" that entry, then even full re-sync could be
implemented quite easily: each node dumps all entries it is responsible
for. The protocol itself should be extended as well, we would need
per-node sequence numbers and per-node recovery requests.

   Krisztian KOVACS

More information about the netfilter-devel mailing list