Re: [Keepalived-devel] Connection state propagation
Status: Beta
Brought to you by:
acassen
Menu
▾
▴
Re: [Keepalived-devel] Connection state propagation
|
From: Vinnie <lis...@lv...> - 2003-07-29 07:42:59
|
Diego Rivera wrote: > Hello all! > > I've heard of the "antefacto" patch which allows IPVS connection state > to be replicated to IPTables such that when failover occurrs there's no > interruption of established links. > > However, by the maintainer's admission it is out of date and it's > unclear whether it will be maintained further (or even integrated into > the 2.4.2x tree). > > I'm wondering if this patch is the only way to make that happen > (iptables conn state replication between boxes). > > The reason I ask is because we're not using IPVS and don't plan to for a > while, and thus the conn state would need to be replicated regardless of > IPVS activity. > > Any info is greatly appreciated! > > Thanks > As the other gentleman said already, the purpose of the antefacto patch is to bring enough communication of what IPVS code is doing with IPVS-managed connections to netfilter connection tracking code, so that a stateful iptables-based firewall can be run on the LVS Director. Antefacto is pretty much intended for use on LVS-NAT director boxes, BTW. This is useful, because without the antefacto mod to IPVS, IPVS does not bother to inform netfilter's connection tracking of what it is doing, so using iptables rules which employ stateful inspection (ie, NEW, ESTABLISHED/RELATED, etc.) to filter traffic heading to/from IPVS-managed services doesn't work. Antefacto makes it work, and therefore, your LVS-NAT director can also be your primary firewall for the network, if you like. I have sort of inherited the hat of maintaining the antefacto patch for newer kernel/IPVS source code. At this time, I have an updated patch for kernel 2.4.19/IPVS 1.0.7, and one for 2.4.20/IPVS 1.0.8 source code. Actually somebody else took the initiative to mod my 2.4.19 patch so it would work with 2.4.20/IPVS 1.0.8, so I can't really take any credit for that. Thing is, I am not a C programmer, I have not done any real programming in over 15 years. I just have a lot of experience with computers (22 years) and as far as patches goes, I have a HALF-way decent idea of manually fitting/splicing patches in and testing them out after compiling. I can study C source code and sort of follow the logic, and have a LITTLE common sense about how to/how NOT to make patches fit, but that's about the extent of my C skills right now. So I'm not the best person in the world to be maintaining the antefacto patch - but somebody has to do it as long as antefacto's features are not adopted into the main IPVS source in some way. I am gradually (with a capital G) learning my way around C, but I just don't have a lot of time to dedicate to the effort. Between my job, which takes up a lot of my time, but has very little computer work involved nowadays -- and all of what I do work on is end-user BillySoft machines for people not capable of setting up their own computers to access the internet -- and all the other irons in the fire competing for my free time, learning how to program in C is just not at the top of my list. Until somebody more capable/skilled in C programming gets involved in maintaining this patch for the community, or sees fit to otherwise make IPVS capable of communicating with netfilter connection tracking so we don't have to have a firewall on a separate box, antefacto's capabilities are probably not going to be very well maintained for future IPVS/kernel releases. Anyway, I have a HOWTO on our website which has links to the newer antefacto patches mentioned above, and also documents setting up a box to be an LVS-NAT Director with a stateful iptables firewall (which uses keepalived to manage the LVS). Here's the URL: http://www.lvwnet.com/vince/linux/Keepalived-LVS-NAT-Director-ProxyArp-Firewall-HOWTO.html Cheers, vince |