Re: Possibilities and performance of conntrackd, NATing cluster

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Now only to clarify that I understand it correctly:

Asymmetric setup: Any router receives any of packets. All routers have
the same information about all connections in cluster, so it doesn't
matter which of them handles which connection.

Symmetric setup: Once the connection is setup on RouterX, the whole
connection should be handled by that very same router.

Is this correct?

On Wed, Sep 17, 2008 at 12:34 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> The way to go is a symmetric setup where all nodes receives the packets
> and only one firewall node handles them. This can be achieved by means
> of hash-based load-sharing. There's some works on that direction.

How is it possible to have only one firewall to handle packets in
cluster? Is it like in the setup in the testcase
(http://conntrack-tools.netfilter.org/testcase.html)? If I understand
it correctly, it means to have only one active firewall/router and one
passive waiting for failure. How is ti possible to scale to higher
loads?

Can you point me also to some info about hash-based load-sharing?

>> With how many routers?
>
> Limit? I don't know yet, I'm still testing with only two nodes, but I
> expect to do it with up to four. Moreover, the replication approaches
> still require a small change in the code to cleanly support more than
> two nodes.

If the load-sharing works (with more than two nodes maybe) I'd like to
test it. If it proves to work I can test it in real world scenario
with real ISP traffic. We are currently moving to new office so I can
post some results from testing in few weeks.

>> I know that you can do Active / Standby with conntrackd and I believe
>> that you can do Active / Active as well.  It is my understanding that
>> conntrackd broadcasts connection state on a separate network connection.
>>  I believe that the routers participating in the conntrackd failover
>> usually have three (or more) network cards on them, one internal and one

Yes, active/active is what I want.

> This is asymmetric multipath, it is not really a good idea and also
> you'll waste lots of resources in the replication. Therefore, if your
> intention is to improve scalability, this won't help. The way to go is
> the symmetric setup.

Can you write more about this? I'd like to test this setup.

>> routing) but is not required to.  With this in mind I'd recommend
>> something like VRRP for the internal and external interfaces where one
>> router is primary for the internal and outgoing interface and the other
>> router is primary for the external and incoming interface.  Using VRRP

Hm this is interresting - split incoming/outgoing traffic to separate
routers. Maybe the conntrackd can be used in this scenario. I would
test it.

ico
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux