[Please trim unrelated content, these mails are getting hard to read]
Pablo Neira Ayuso wrote:
Patrick McHardy wrote:
BTW, I recently looked into TIPC, its incredibly easy to use since
it deals with dead-node dectection etc internally and all you need
to do is exchange a few messages. Might be quite easy to write a
smarter failover daemon.
I see, I don't have more convincing arguments that "I would also need
time for that but in the meanwhile, please allow this". Well, failover
daemons are delicate pieces of software, they have to be stable,
well-tested, bug-free, give timely responses. Still TIPC is experimental
and I guess that the dead-node detection is only layer 3/4 based on
heartbeats. Dead-node detection is a tricky issue, the more you can
perform different layer checkings, the more increase chances to make
wrong decisions that may lead to inconsistent situations and tons of
problems. VRRP is the current standard and this one of his limitations,
and so on.
Well, if you are not going to accept the /proc interface, not matter
what I can argument, I give up on this ;)
I'm afraid I can't be convinced of this. If you want to specify
multiple node ids, have the iptables command accept them, but
there's no reason to use proc for this.
Anyway, probably, this is a premature optimization (but worth?). Some
numbers, in my testbed, I get ~1800 TCP connections per second less with
eight cluster rules (no /proc interface).
24347 TCP connections per second with one rule.
22580 TCP connections per second with eight rules.
OK, I'll send you another patch without the /proc interface.
Thanks. As I said, I don't have anything against handling multiple
nodes in one rule, as long as its not done using proc.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html