Harald and others,
i've seen Haralds presentation on netfilter failover at this years
FOSDEM[1].
I know that connection tracking information replication is not yet
implemented, so i am looking into using the "poor man's" approach with
shared ethernet.
I've played around with the kernel a bit so far but have had little success.
It would be nice if someone could provide some insight into how to hack the
kernel so it does connection tracking based on packets from an interface in
promiscuous mode without actually forwarding those.
Right now i have to identical machines set up with identical routes,
interfaces and corresponding ips. Both machines have ip forwarding turned
on, but the box that is on hot standby has arp replies turned off
(ifconfig <iface> -arp).
With a standard kernel, packets for other hosts are dropped in
net/ipv4/ip_input.c:
/*
* Main IP Receive routine.
*/
int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt)
{
struct iphdr *iph;
/* When the interface is in promisc. mode, drop all the crap
* that it receives, do not try to analyse it.
*/
if (skb->pkt_type == PACKET_OTHERHOST)
goto drop;
The second place where these packages could be dropped is
net/ipv4/ip_forward.c:
int ip_forward(struct sk_buff *skb)
{
[...]
if (skb->pkt_type != PACKET_HOST)
goto drop;
Right now i have tried two things:
1. just commenting out the "goto drop" so that the packet are handled like
any other (ip_route_local(), ip_forward() etc).
2. instead of dropping the packet, calling
NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL,
ip_local_deliver_finish);
or
NF_HOOK(PF_INET, NF_IP_FORWARD, skb, skb->dev, dev2,
ip_forward_finish);
respectively.
If someone could point me in the right direction i would be very grateful.
thanks,
Nils Juergens
[1] http://www.fosdem.org
--
Nils Juergens | ju@xxxxxxxxxxxxxxxxxx
Having problems sending big files over the net?
Try out Efisto (http://efisto.rnbhq.org).
Attachment:
pgp00530.pgp
Description: PGP signature
