|
Hello,
First off, on offense to anyone, especially at the author of the patch.
It was listed on the linuxvirtualserver.org webpage, in the LVS-HOWTO,
section 21 or so.
Have not found it, is there a *diff version I could throw my eyes over?
But this really is a great functionality. I'm really surprised how well
it is working with our setup here, especially considering that this
LVS-NAT director/firewall box is also running "proxy-arp". (we have
other servers/hosts using routable IP's behind the firewall that aren't
(and WON'T be) "LVS'd" - and I don't want to have to SNAT/DNAT anything
I don't have to).
What kind of tests did you run?
If only this netfilter connection state "awareness" of IPVS connections
were part of the main IPVS source... ;)
Guys, I hope you _do_ realize that not even netfilter has a properly
working connection tracking. Without the tcp-window-tracking patch,
netfilter allows you to send arbitrary packets through the stack. It's a
well-known fact and even the netfilter homepage at some point mentioned it.
I take it that you didn't do any tests of the patch or netfilter in
general with a packet generator (where you can modify every last bit of
an skb).
And, to your interest, LVS _does_ have sort of connection state tracking.
Now setting up heartbeat or keepalived, to have a PAIR of these
director/firewall boxes going (active-hot standby), THAT is the next
challenge... the standby has to be able to grab the IP's *AND* the
customized routing table entries from the master.
Have fun. Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 