|
Hi ;)
I .. would love to know of a way to get iptables state to
transfer from one machine to another.
You and lots of other people :-)
Harald Welte has been trying to get funding to write stateful failover
for netfilter for a while now, but last I heard (a year ago at OLS), he
hasn't got funding and hasn't done it. Even conceptually it's not easy to
Not quite correct. He has actually done it [1] and we can expect it to
surface the users world in a couple of months for beta testing.
do and there's lot of thinking about whether the current netfilter setup
is worth putting the effort into failing over. One problem is one loading
rules that each new rule has to find it's please in the existing rule set.
This is also being worked at with the new pkttables, ct/nf-netlink and
whatever else the nf guys come up with.
Thus loading large rule sets is an n^^2 problem and it can take seconds for
50,000 rules to load. A netfilter rule compiler would be nice.
Use hipac [2]. As for the CARP protocol I'll hope Alexandre's keepalive
design abstraction layer has enough flexibility built in to just use it
as is, I reckon someone only has to write the support for it (hint, hint).
[1] http://cvs.netfilter.org/netfilter-ha/
[2] http://www.hipac.org/
Cheers,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 