Re: Choices for virtual IP failover (was Re: Firewall in Load Balance - Active/Active)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2009-05-25 at 16:58 +0200, Tore Anderson wrote:
> > the link states of network devices. The major drawback is that it also
> > has a IPVS module which is printing harmless error messages when the
> > underlying kernel doesn't support IPVS but I suppose you could prevent
> > that if you'd compile keepalived yourself.
> 
> I knowthat keepalived has a command line option to only start the VRRP
> parts of the code (-P).  Perhaps that will silence the warnings?

It doesn't but I am simply ignoring them (they are only
printed at startup anyway).

> The lack of IPv6 support is something I miss, too.  I plan to deal with
> it by adding/removing the HA IPv6 addresses from shell scripts ithat
> runs when the state changes (the settings notify_{master,backup,fault}).
> I didn't try it yet but I see no reason why it wouldn't work. 

It does work as that's what I am doing now ;) (Debian 5.0 nodes
with packaged keepalived). Also the Linux IPv6 stack automatically
sends something equivalent to a gratuitous ARP request anyway
(some ICMPv6 type deals with announcing address changes on the link).

>  You'll
> need to piggy-back it on an IPv4 VIP though (just use dummy addresses
> from 169.254.0.0/16 or RFC1918 space for single-stack IPv6 networks).

I'm using a dual stack approach so I don't have that problem.

> > Finally the problem with all these implementations is that they don't
> > support virtual MAC addresses in the way VRRP is usually provides
> > by router vendors and thus have to send gratuitous ARP requests
> > to inform their networks about the new MAC address after a failover.
> 
> I think this is due to a limitation in the Linux kernel - it is simply
> not possible to have a multiple unicast layer-2 addresses assigned to a
> single network interface.  Go bug the people on netdev - I'm sure
> keepalived will support VMAC immediately after the necessary kernel
> changes have been made.

Am aware of this but I simply don't have the time right now, but
surely would be a nice thing to have, also from a security perspective
(relying on what makes ARP-Spoofing possible for your fundamental
infrastructure is not nice ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux