RE: LVS and fault-tolerant Firewall.

RE: LVS and fault-tolerant Firewall.

[James Miller]

Yes, but you can not run iptables/netfilter and maintain connection tracking
with keepalived(vrrp).. so if you fail over, established/related traffic
will not be known to .

For some folks this isn't an issue.  For me is a show-stopper.  I'm sure
there are good reasons why the netfilter folks can't come up with conntrack
state-sharing mechanism.


just my $0.02,
->Jim



-----Original Message-----
From: lvs-users-bounces+jimm=simutronics.com@linuxvirtualserver.org
[mailto:lvs-users-bounces+jimm=simutronics.com@linuxvirtualserver.org]On
Behalf Of mb@os.datafx.com.au
Sent: Tuesday, September 16, 2003 4:26 PM
To: LinuxVirtualServer.org users mailing list.
Subject: Re: LVS and fault-tolerant Firewall.


Quoting Kjetil Torgrim Homme <kjetilho@ifi.uio.no>:

> do you really need LVS?  you only need failover, not load balancing,
> right?

Correct.

>
> keepalived does the failover bit nicely.
>

Excellent! - Exactly what I was looking for.

Regards,
MB

> (Julian Anastasov is working on making LVS integrate with Netfilter.
> LVS passes on the packets before firewall rules are applied.  if the
> code is completed, Netfilter integration will be an option since the
> performance penalty is quite noticable.)
> --
> Kjetil T.			|  read and make up your own mind
> 				|  http://www.cactus48.com/truth.html
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>




-------------------------------------------------------------------------
This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

Re: LVS and fault-tolerant Firewall.

[Kovacs Krisztian]

   Hi,

James Miller wrote:
> Yes, but you can not run iptables/netfilter and maintain connection tracking
> with keepalived(vrrp).. so if you fail over, established/related traffic
> will not be known to .
> 
> For some folks this isn't an issue.  For me is a show-stopper.  I'm sure
> there are good reasons why the netfilter folks can't come up with conntrack
> state-sharing mechanism.

   This is not true. Harald has published a paper last year at OLS2002, 
which gives an overview how connection tracking failover could be 
implemented for Netfilter. There are no theoretical problems with the 
approach, I've created some proof-of-concept code this spring. However, 
it's far from being usable in a real-world environment, at the moment, and 
this is the primary reason it has not been released to the public yet. You 
can get slightly more information from my presentation at the second 
Netfilter Workshop, available in OpenOffice.org Impress format at 
http://home.sch.bme.hu/~piglet/nf-ha/nfws_ha.sxi

-- 
   Regards,
     Krisztian KOVACS

Re: LVS and fault-tolerant Firewall.

[Joseph Mack]

James Miller wrote:
> 
> I'm sure
> there are good reasons why the netfilter folks can't come up with conntrack
> state-sharing mechanism.

It's been in the works for about 2 yrs. The first problem was a design that
would survive for several yearz. When that was handled the next problem
was getting the money to pay the people while they wrote it. Harald Welte
who was going to do it, thought he was getting funding last year but at
the last moment, the money fell through. What's needed now is money
for 4 months salary for Marald (or someone to do it for free).

Joe
-- 
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@epa.gov