What's required for a stateful firewall + ipvs in 2.6 kernel?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Brian Ghidinelli <brian@vfive.com>
To: netfilter@vger.kernel.org
Subject: What's required for a stateful firewall + ipvs in 2.6 kernel?
Date: Tue, 09 Sep 2008 16:47:28 -0700	[thread overview]
Message-ID: <48C70B10.3040405@vfive.com> (raw)

I'm trying to get a handle on whether or not it's possible to set up the 
following on a redundant pair of boxes:

1. Stateful iptables firewall
2. LVS director (keepalived)
3. DNAT, SNAT and fwmarks
4. Connection synchronization for failover

I currently have CentOS/RHEL 5 running 1, 2 and 3 above but the RHEL 
2.6.18-* kernels don't export LVS connections to netfilter resulting in 
lots of INVALID packets on return traffic from real servers.  It also 
prevents connection synchronization to the backup fw/director for 
failover.  Google has been giving me conflicting results on the 
following questions:

* Do the antefacto patches allow netfilter to access connections managed 
by ipvs and support DNAT, SNAT and fwmarks used in the LVS configuration?

* Has anyone gotten this to work on RHEL/CentOS via a kernel recompile 
with the antefacto patches?

If so, is there anything needed beyond the following?:

1. Recompile CentOS kernel (2.6.18 ok?) with Antefacto patches 
(http://www.ssi.bg/~ja/nfct/)

2. Setup conntrackd - will mirror the connection information 
synchronized by keepalived at the netfilter level.  Will conntrackd work 
on RHEL/CentOS 5.2?

Are libntnetlink or libnetfilter_conntrack required?  I have been 
reading all day but don't yet follow how all of the pieces go together. 
  Many thanks for any advice here...

Brian

next             reply	other threads:[~2008-09-09 23:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-09 23:47 Brian Ghidinelli [this message]
2008-09-10 15:16 ` What's required for a stateful firewall + ipvs in 2.6 kernel? Grant Taylor
2008-09-10 17:00   ` Brian Ghidinelli
2008-09-10 17:03     ` Grant Taylor
2008-09-23 10:09 ` Pablo Neira Ayuso
2008-09-23 20:31   ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48C70B10.3040405@vfive.com \
    --to=brian@vfive.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.