From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: [PATCH 2/3][CONNTRACK] Introduce the pickup facilities to take over TCP connections Date: Tue, 22 Aug 2006 01:12:48 +0200 Message-ID: <44EA3DF0.9040104@trash.net> References: <44E972E1.4080500@netfilter.org> <44EA11C1.2090705@netfilter.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Harald Welte , Netfilter Development Mailinglist , Pablo Neira Ayuso Return-path: To: Krzysztof Oledzki In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Krzysztof Oledzki wrote: > On Mon, 21 Aug 2006, Pablo Neira Ayuso wrote: > >> You seem to be confused with the IPS_PICKUP flag: this flag must be >> set for conntracks created from userspace via ctnetlink, thus the TCP >> window tracking knows that it has to take over the valid window of TCP >> sequences, once that happens this flag is unset. > > > Hm, lets assume we have two firewalls for active-active configuration. > How does the second firewall know that it should accept/drop a packet > with specific seq number from connection that was previously handled by > the first one? > > Plase excuse me if this is obvious, but I wasn't able to find any > information about how it was solved. All I found is the TODO file > with: > > o support for TCP window tracking > - at the moment you have to disable it: > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal I think the question is whether connections will bounce between nodes multiple times or just once when a node fail. The former would need to have the IPS_PICKUP flag constantly enabled.