* [PATCH 0/3 v2] netfilter: multi-primary firewall clustering support
@ 2009-02-05 17:22 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2009-02-05 17:22 UTC (permalink / raw)
To: Netfilter Development Mailinglist; +Cc: Patrick McHardy
Hi Patrick,
This is the second version of the clustering support for iptables. The
following patches add one target for arptables, one target and one
match for iptables. They are useful to setup active/active setups both
for gateways with connection tracking support and back-end servers.
[PATCH 1/3] netfilter: arptables: add mcmangle target
[PATCH 2/3] netfilter: xtables: add PKTTYPE target
[PATCH 3/3] netfilter: xtables: add cluster match
One node of my testbed in an primary/backup setup performs very simple
stateful filtering and NAT of ~21000 TCP connections per second. By
using these target/matches appropriately, my two firewall nodes
(multi-primary setup) can filter traffic reaching up to ~30000
connection per second, which means a gain of ~40% more. I don't know yet
the limit of this solution in terms of scalability as I also have two
firewall nodes.
BTW, this patchset contains some of the Jan Engelhardt's suggestions.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-02-05 17:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-05 17:22 [PATCH 0/3 v2] netfilter: multi-primary firewall clustering support Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).