|
On 2000-03-09T16:25:10,
Wensong Zhang <wensong@xxxxxxxxxxxx> said:
> I think it is possible. The director and the backup are in a shared
> network for incoming traffic, the backup sniff packets and change its
> connection state the same as the director (because the director is just on
> half client-to-server connection in LVS/TUN and LVS/DR), then drop
> packets.
> It needs some investigation and probably lots of additional code too. ;-)
I don't even think so - the main trick is getting the kernel to sniff the
packets, which is probably quite easy with a little messing around. Not
sending the packets out again (which would confuse the realservers) is easy
with a ipchains output rule which silently drops them.
This doesn't work with a switch though, you need a shared network like a
hub.
However, I have been talking with rusty about this. The problem is more
general - HA shared-state firewalls are asked for all the time, so we want to
do a generic thing for everything which builds upon Netfilter's state machine.
This would not only cover LVS, but also masquerading and packet filtering in
general. We intend to discuss this in greater detail at the Ottawa Linux
Symposium latest.
Wensong, would you mind saying a word or two about the current status of the
LVS netfilter port?
Sincerely,
Lars Marowsky-Brée <lmb@xxxxxxx>
Development HA
--
Perfection is our goal, excellence will be tolerated. -- J. Yahl
|
