From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Oliver <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] death_by_event() does not check IPS_DYING_BIT - race condition against ctnetlink_del_conntrack
Date: Thu, 30 Aug 2012 18:22:48 +0200 [thread overview]
Message-ID: <20120830162248.GA3783@1984> (raw)
In-Reply-To: <149613366.axl8ME3any@gentoovm>
Hi Oliver,
On Thu, Aug 30, 2012 at 02:28:20PM +0200, Oliver wrote:
> On Thursday 30 August 2012 12:34:37 you wrote:
> > Yes, I prefer the second patch. There is still races in the first
> > patch I sent you, harder to trigger, but still there.
> >
> > There are several cleanups I'd like to recover from the first patch
> > though. Would you help testing them?
> >
> > Thanks a lot for testing.
>
> HI Pablo,
>
> Yep, I'd be happy to test. I've also uncovered a new issue: I have two Active-
> Active machines (conntrackd running NOTRACK mode with both External and
> Internal cache disabled)
Thanks. I'll send you patches then.
> In kernel 3.2 this pair works asymmetric and issue-free. Upgrade it to 3.4 and
> it immediately has around 50% failure of TCP connection attempts on systems
> behind them - ICMP on the other hand is flawless, DNS lookups also are OK so I
> *believe* that UDP may also be performing well - I've no idea where to even
> look on this one so any insight would be most appreciated.
Unfortunately, asymmetric active-active is a crazy setup for conntrack
(documentation already discuss this). The state synchronization that
we are doing is asynchronous, so state-updates race with TCP packet.
We don't support this, sorry.
We can support active-active with hash-based load-sharing with the
cluster match / arptables, it seems more sane to me, theory is
described here:
http://1984.lsi.us.es/~pablo/docs/intcomp09.pdf
However, there is not documentation yet on how to make it. Last time I
looked at existing HA daemons, I didn't find that they support
active-active setup very well, so they require some changes / we need
some small new HA daemon for this.
I need to work on active/active load-sharing, to fully documented and
support it. That's not in top of my priority list at the moment
though.
Another (simpler) alternative is, in case your firewall have two IPs,
to statically distribute the load between your firewalls by assigning
different gateway IP to your client nodes. That should not be hard to
deploy.
next prev parent reply other threads:[~2012-08-30 16:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-27 9:33 [PATCH] death_by_event() does not check IPS_DYING_BIT - race condition against ctnetlink_del_conntrack Oliver
2012-08-28 10:52 ` Pablo Neira Ayuso
2012-08-28 17:16 ` Oliver
2012-08-28 23:10 ` Oliver
2012-08-30 0:52 ` Pablo Neira Ayuso
2012-08-30 2:05 ` Oliver
2012-08-30 2:25 ` Pablo Neira Ayuso
[not found] ` <5427975.6moJlq4F9d@gentoovm>
[not found] ` <20120830025009.GA16782@1984>
2012-08-30 3:09 ` Oliver
2012-08-30 10:34 ` Pablo Neira Ayuso
2012-08-30 12:28 ` Oliver
2012-08-30 12:39 ` Oliver
2012-08-30 16:22 ` Pablo Neira Ayuso [this message]
2012-08-30 17:49 ` Oliver
2012-08-30 18:39 ` Pablo Neira Ayuso
2012-08-31 0:19 ` Oliver
2012-08-31 9:27 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120830162248.GA3783@1984 \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).