Hi everyone,
With Ben North's very helpful information, I managed to hand-fit the
"antefacto" patches into v1.0.7 of the IPVS source and 2.4.19 kernel
source. After completing the patch work, I ran a diff against the whole
kernel tree, to come up with a "single kernel patch" of IPVS 1.0.7 for
kernel 2.4.19, *WITH* the antefacto patches in place also.
(for those unfamiliar, the Antefacto patches bring enough of netfilter's
connection tracking code into IPVS to allow an LVS(-NAT) director also
function as a stateful inspection-capable iptables firewall also, so
that even traffic destined for a VIP/realserver can be
statefully-inspected by your iptables firewall ruleset).
I know 1.0.8 just came out so this may not be quite as interesting as it
would have been a few days ago... ;)
I've been running an LVS-NAT director with this setup for over a week
now and haven't seen any probs yet.
Anyway, if anyone is interested in a copy of this "antefacto-enabled"
IPVS v1.0.7 single-kernel-patch for kernel 2.4.19, point your browser to:
http://www.lvwnet.com/vince/files/linux-2.4.19_ipvs1.0.7_single-patch+antefacto-netfilter-conntrack.zip
and pick up a copy. Ben North looked over what I did, and advised me
that there are a couple of .orig files in the diff, so I will probably
need to clean them up and re-diff for a cleaner patch.
But as far as I can tell here with a mildly-busy setup, running 13
LVS-NAT virtual services on the firewall/director (a P166-MMX), it is
chumming right along.
Please ignore the lack of much anything else useful on my linux web
page. Gotta get away from hands-on long enough to update the webpage
with some information. ;)
==========
Any chance the maintainers of the IPVS code would RE-consider bringing
the Antefacto code into the main IPVS source code? It really is a good
feature (stateful inspection of VIP traffic in the firewall scripts),
and I imagine there would be many folks that would consider this useful.
Why run a separate firewall box if you can have LVS director and
firewall on the same box (and not lose any functionality)? You can make
that 2nd box a hot standby director/firewall in case the first one
fails... ;)
|