Re: What's required for a stateful firewall + ipvs in 2.6 kernel?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Brian Ghidinelli <brian@vfive.com>
Cc: netfilter@vger.kernel.org
Subject: Re: What's required for a stateful firewall + ipvs in 2.6 kernel?
Date: Tue, 23 Sep 2008 12:09:51 +0200	[thread overview]
Message-ID: <48D8C06F.6030101@netfilter.org> (raw)
In-Reply-To: <48C70B10.3040405@vfive.com>

Brian Ghidinelli wrote:
> I'm trying to get a handle on whether or not it's possible to set up the
> following on a redundant pair of boxes:
> 
> 1. Stateful iptables firewall
> 2. LVS director (keepalived)
> 3. DNAT, SNAT and fwmarks
> 4. Connection synchronization for failover
> 
> I currently have CentOS/RHEL 5 running 1, 2 and 3 above but the RHEL
> 2.6.18-* kernels don't export LVS connections to netfilter resulting in
> lots of INVALID packets on return traffic from real servers.  It also
> prevents connection synchronization to the backup fw/director for
> failover.  Google has been giving me conflicting results on the
> following questions:
> 
> * Do the antefacto patches allow netfilter to access connections managed
> by ipvs and support DNAT, SNAT and fwmarks used in the LVS configuration?
> 
> * Has anyone gotten this to work on RHEL/CentOS via a kernel recompile
> with the antefacto patches?
> 
> If so, is there anything needed beyond the following?:
> 
> 1. Recompile CentOS kernel (2.6.18 ok?) with Antefacto patches
> (http://www.ssi.bg/~ja/nfct/)

The last time that I had a look at the antefacto patch it look to me
like a hack. IIRC, the problem is the LVS design (at least time ago when
I had a look at it) as it bypasses the network stack. This screws up the
possibility of having stateful firewalling and LVS.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

next prev parent reply	other threads:[~2008-09-23 10:09 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-09 23:47 What's required for a stateful firewall + ipvs in 2.6 kernel? Brian Ghidinelli
2008-09-10 15:16 ` Grant Taylor
2008-09-10 17:00   ` Brian Ghidinelli
2008-09-10 17:03     ` Grant Taylor
2008-09-23 10:09 ` Pablo Neira Ayuso [this message]
2008-09-23 20:31   ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48D8C06F.6030101@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=brian@vfive.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.