Re: [PATCH] netfilter: xtables: add cluster match

[Patrick McHardy <kaber@trash.net>]

[Please trim unrelated content, these mails are getting hard to read]

Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>> BTW, I recently looked into TIPC, its incredibly easy to use since
>> it deals with dead-node dectection etc internally and all you need
>> to do is exchange a few messages. Might be quite easy to write a
>> smarter failover daemon.
> 
> I see, I don't have more convincing arguments that "I would also need
> time for that but in the meanwhile, please allow this". Well, failover
> daemons are delicate pieces of software, they have to be stable,
> well-tested, bug-free, give timely responses. Still TIPC is experimental
> and I guess that the dead-node detection is only layer 3/4 based on
> heartbeats. Dead-node detection is a tricky issue, the more you can
> perform different layer checkings, the more increase chances to make
> wrong decisions that may lead to inconsistent situations and tons of
> problems. VRRP is the current standard and this one of his limitations,
> and so on.
> 
> Well, if you are not going to accept the /proc interface, not matter
> what I can argument, I give up on this ;)

I'm afraid I can't be convinced of this. If you want to specify
multiple node ids, have the iptables command accept them, but
there's no reason to use proc for this.

> Anyway, probably, this is a premature optimization (but worth?). Some
> numbers, in my testbed, I get ~1800 TCP connections per second less with
> eight cluster rules (no /proc interface).
> 
> 24347 TCP connections per second with one rule.
> 22580 TCP connections per second with eight rules.
> 
> OK, I'll send you another patch without the /proc interface.

Thanks. As I said, I don't have anything against handling multiple
nodes in one rule, as long as its not done using proc.