Re: [LARTC] Problems in Dead Gateway Detection / Failover

From: Alessandro Ren <alessandro.ren@opservices.com.br>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover
Date: Mon, 17 Apr 2006 17:11:42 +0000	[thread overview]
Message-ID: <4443CC4E.1020904@opservices.com.br> (raw)
In-Reply-To: <43D8CEAE.3010006@tuxspace.com>

[-- Attachment #1.1: Type: text/plain, Size: 6333 bytes --]

    So, I will try to explain how all the parts get together but in any 
doubt, just ask me:

    The main script is check_links_balanced.pl and it runs on the 
crontab in my case each minute or 2 minutes. In the beginning of the 
script there are some setups:
    $OPNET_CONF="/usr/local/scripts/opnet.conf";
     We have a service the we call OpNet, that's why the OPNET thing, 
so, this is where the configurations for the links are, I will attach my 
configuration so you can base yours, very simple.
$RCFIREWALL="/etc/rc.d/rc.firewall";
    Where your firewall script is, the main script need to check if the 
firewall is ok and change it if a link goes DOWN ou UP.

# hosts file
$HOSTS_FILE="/usr/local/scripts/hosts.txt";
    The lists of hosts, can be IPs ou names.

# logfile
$LOGFILE="/var/log/check_links_balanced.log";
    Well, the log ifle to see how things are going

# mininal % os hosts that must be UP to consider a link UP
$CRITICAL=30;

    So, you have to create an entry for each link and the 
/etc/iproute2/rt_tables using LINK1 , LINK2 and so on for the table name 
for each link that you have. This is important, because everything in 
connected to the link number, like, LINK1, the firewall mark 1 will send 
packets to the LINK1, will use the configurations of the rc.LINK1, will 
set the wshaper.LINK1 script and so on.

   Ok, so you will have a /etc/rc.d/rc.LINKx and /etc/rc.d/wshaper.LINKx 
for each link, these rc.LINKx will set the routing table LINKx properly 
and put the link UP, whether its a ethernet or ADSL with a PPP interface.
    For PPP interfaces, we will have some extra configurations in 
/etc/ppp, like /etc/ppp/ip-up that will have to set some routes when the 
ADSL goes UP, based on th interface, it will set default route for the 
table LINKx and set up rules, removing old rules if the IP is dynamic 
and setting the new one for the new IP interface. In /etc/ppp/peers you 
must create one configuraion for each PPP interface you have and each 
one gets an fixed name, using unit x, so I know the PPP0 will always be 
the same ADSL, otherwise linux will choose the number of the PPP 
interface dynamicly, and everything would be lost. I also  have one 
configuration for each PPPOE interface.
    The only thing that I can not do yet is work widh DHCP interfaces, I 
have still to see show dhclient can be used to to the same thing a I do 
with the PPP interfaces.

    The firewall has to have the following in mangle:

# here, one for each link wiht a MARK, in this case
# LINK1 - eth1 - is a cable with fixed IP. and LINK2 is and ADSL
$iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1
$iptables -A OUTPUT -t mangle -o ppp0 -j MARK --set-mark 2

# CONNMARK PREROUTING
# pakets with state invalid can not be used with CONNMARK
$iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m state --state 
INVALID
$iptables -t mangle -A PREROUTING -j RETURN -m state --state INVALID

# if the paket belongs to an already known an "tagged" connection
#   then copy conmark -> mark and go ahead with routing
$iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
$iptables -t mangle -A PREROUTING -j RETURN -m mark ! --mark 0

# if it is a "untagged" connection and coming from an outside inteface
#   then save this as connmark and copy connmark -> mark
$iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 1 -i eth1
$iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 2 -i ppp0
$iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# CONNMARK POSTROUTING
$iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j RETURN
$iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 -m state --state 
NEW -o eth1
$iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 -m state --state 
NEW -o ppp0
$iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark -m state 
--state NEW

   This will balanced the internet access and you can set some 
connections to go a specific link

# Secure sites always via the same link, to keep integrity
$iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000 
-j MARK --set-mark 1
   So here LAN access to port TCP 5000 will always get out via LINK1, 
when LINK1 is DOWN, the main scripts will comment this line OUT and run 
rc.firewall, so this packets will the go though the other links.
    See if you have tree links, you culd do that
$iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000 
-j MARK --set-mark 3
$iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000 
-j MARK --set-mark 2

    I will mark the same packts three time, CPU waste, but the packet 
would via LINK2, if LINK2 goes down, they would go via LINK3, if LINK3 
and LINK2 goes down, the lines get commented, the packets go via the 
remaing link or links.

    In the end of the scripts you have to have the NAT part
# NAT eth1
IP=`/usr/local/scripts/get_ip_interface.pl eth1`
$iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source $IP

# NAT ppp0
IP=`/usr/local/scripts/get_ip_interface.pl ppp0`
$iptables -A POSTROUTING -t nat -m mark --mark 2 -j SNAT --to-source $IP
    You see that I first get the interface IP, that because the IP can 
change for dynamic links and the NAT must be reset to the new IP.

    Well, attached are the main script, the main configuration, the 
rc.LINKx and wshaper.LINKx that I use for my links as the ADSL 
configuration that I use here.
    I know this setup is complex and it took me a long time to get to 
it. I will answer any questions regarding it to try and help.
    I am using kernel 2.6.x and it also works for kernel 2.4.x with the 
CONNMAK patch.
    So, I am also attaching configure.pl script that generates all these 
configurations, yes, I've made it easy even for me.
    You can download the scripts and examples from here
    http://www.opservices.com.br/check_links_balanced.tgz

    Any help or improvements, let me now.

    []s.

-- 
__________________________________________________
*Alessandro Ren*
	/*OpServices*/
/*Luciana de Abreu, 471 - Sala 403*/
/*Porto Alegre, RS - CEP 90570-060*/

*(*   phone 55(51)3061-3588
*4*    fax 55(51)3061-3588
	*Q*   mobile 55(51)8151-8212
*:*   email alessandro.ren@opservices.com.br 
<mailto:%22alessandro.ren@opservices.com.br%22>

__________________________________________________

[-- Attachment #1.2: Type: text/html, Size: 9045 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc