From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Possibilities and performance of conntrackd, NATing cluster
Date: Wed, 17 Sep 2008 16:07:14 -0500 [thread overview]
Message-ID: <48D17182.1090000@riverviewtech.net> (raw)
In-Reply-To: <48D0DD27.70109@netfilter.org>
On 09/17/08 05:34, Pablo Neira Ayuso wrote:
> If you are refering to an asymmetric setup where the packets can be
> filtered by whatever node, it's likely that you'll experience
> problems. The daemon `conntrackd' is asynchronous, so there are race
> conditions between the packets and the state updates, ie. one of the
> firewall nodes may receive a packet but its state may not be
> up-to-date yet.
Ah. Ok.
> The way to go is a symmetric setup where all nodes receives the
> packets and only one firewall node handles them. This can be achieved
> by means of hash-based load-sharing. There's some works on that
> direction.
Interesting. I can see how this would easily scale beyond two nodes (or
two primary and two backup) much easier.
> It's soft real-time. conntrackd does its best here. A hard real-time
> approach would harm performance in terms of latency and bandwidth.
Ok... Can you comment on whether or not CheckPoint's is soft or hard
real-time (or something in between)? What about any thing else? In
other words, is this a Linux / conntrackd shortcoming or just a
shortcoming of load balancing across firewalls?
> Limit? I don't know yet, I'm still testing with only two nodes, but I
> expect to do it with up to four. Moreover, the replication approaches
> still require a small change in the code to cleanly support more than
> two nodes.
*nod*
> This is right.
:)
> This is asymmetric multipath, it is not really a good idea and also
> you'll waste lots of resources in the replication. Therefore, if your
> intention is to improve scalability, this won't help. The way to go
> is the symmetric setup.
Ok.
> This is a description for the asymmetric setup, isn't it?
Well, it was initially written as asymmetric, but it could easily be
changed to symmetric by having one node be the primary for both inbound
and outbound traffic and have the other node be backup.
Considering the hashed based load balancing I'm not quite sure how I
would apply VRRP. I think I'd end up using hashing across multiple sets
of VRRP active / standby nodes. But that is quite a ways beyond the OPs
question.
Grant. . . .
next prev parent reply other threads:[~2008-09-17 21:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-16 14:16 Possibilities and performance of conntrackd, NATing cluster icovnik
2008-09-16 18:42 ` Grant Taylor
2008-09-17 10:34 ` Pablo Neira Ayuso
2008-09-17 21:07 ` Grant Taylor [this message]
2008-09-18 7:26 ` julien vehent
2008-09-18 14:25 ` Pablo Neira Ayuso
2008-09-18 14:49 ` Matt Zagrabelny
2008-09-18 15:06 ` Pablo Neira Ayuso
2008-09-18 14:52 ` Michael Schwartzkopff
2008-09-23 10:05 ` icovnik
2008-09-23 20:25 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48D17182.1090000@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox