Brian Ghidinelli wrote: > I'm trying to get a handle on whether or not it's possible to set up the > following on a redundant pair of boxes: > > 1. Stateful iptables firewall > 2. LVS director (keepalived) > 3. DNAT, SNAT and fwmarks > 4. Connection synchronization for failover > > I currently have CentOS/RHEL 5 running 1, 2 and 3 above but the RHEL > 2.6.18-* kernels don't export LVS connections to netfilter resulting in > lots of INVALID packets on return traffic from real servers. It also > prevents connection synchronization to the backup fw/director for > failover. Google has been giving me conflicting results on the > following questions: > > * Do the antefacto patches allow netfilter to access connections managed > by ipvs and support DNAT, SNAT and fwmarks used in the LVS configuration? > > * Has anyone gotten this to work on RHEL/CentOS via a kernel recompile > with the antefacto patches? > > If so, is there anything needed beyond the following?: > > 1. Recompile CentOS kernel (2.6.18 ok?) with Antefacto patches > (http://www.ssi.bg/~ja/nfct/) The last time that I had a look at the antefacto patch it look to me like a hack. IIRC, the problem is the LVS design (at least time ago when I had a look at it) as it bypasses the network stack. This screws up the possibility of having stateful firewalling and LVS. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
