Re: multiprimary conntrackd setup

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sebastian Vieira <sebvieira@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: multiprimary conntrackd setup
Date: Wed, 18 Jun 2008 15:05:44 +0200	[thread overview]
Message-ID: <48590828.2060206@netfilter.org> (raw)
In-Reply-To: <279239c70806170402j47f89251s2379d0909c1bca0e@mail.gmail.com>

Sebastian Vieira wrote:
> Hi,
> 
> I must be looking in the wrong places for documentation but so far i'm
> unable to find it. I'm trying to set up a multiprimary (active-active)
> conntrackd on 2 firewalls. I have conntrackd running on both nodes and
> 'conntrackd -s' shows that mcast is working. However, i still have to
> do a manual 'conntrackd -c;conntrackd -R' to sync both tables (as
> would be proper in a failover / active-backup situation). Other than
> enable  CacheWriteThrough , i couldn't find anything on multiprimary
> setup.

What kind of active-active? There are two kind:
a) symmetric or flow-based: the packets are always handled by the same
firewall replica. In this case, you only have to call conntrackd -c
during the failover (which is usually done by your HA manager such as
keepalived).

b) asymmetric or packet-based: typical case of OSPF setups, there is no
guarantees that the packet is handled by the same firewall replica as
OSPF may change the routes at any time. In that case, you have to enable
the CacheWriteThrough. However, from the design point of view,
conntrackd suits better in the scenario a).

> If someone could point me to the correct documentation, i would
> be very happy indeed :)

There's no documentation on active-active setups yet but there will be
some at some point for sure. Anyway, I'd appreciate if you can write it.
Feel free to ask whatever you need.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

next prev parent reply	other threads:[~2008-06-18 13:05 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-17 11:02 multiprimary conntrackd setup Sebastian Vieira
2008-06-18 13:05 ` Pablo Neira Ayuso [this message]
2008-06-23  6:46   ` Sebastian Vieira
2008-06-23  9:09     ` Pablo Neira Ayuso
2008-06-23 12:42       ` Sebastian Vieira
2008-06-24 16:06         ` Pablo Neira Ayuso
2008-06-25 21:02           ` Sebastian Vieira
2008-06-26 15:25             ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48590828.2060206@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=netfilter@vger.kernel.org \
    --cc=sebvieira@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox