From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Possibilities and performance of conntrackd, NATing cluster
Date: Tue, 23 Sep 2008 15:25:43 -0500 [thread overview]
Message-ID: <48D950C7.1000402@riverviewtech.net> (raw)
In-Reply-To: <fc69e1200809230305p267126cbgadfa5fb67a11296c@mail.gmail.com>
On 09/23/08 05:05, icovnik wrote:
> Now only to clarify that I understand it correctly:
>
> Asymmetric setup: Any router receives any of packets. All routers
> have the same information about all connections in cluster, so it
> doesn't matter which of them handles which connection.
>
> Symmetric setup: Once the connection is setup on RouterX, the whole
> connection should be handled by that very same router.
>
> Is this correct?
Eh, close.
Symmetric is where all the traffic passes through the same firewall
going both inbound and outbound, much like symmetric routes.
Where as asymmetric is where traffic passes through different firewalls
going inbound and outbound, much like asymmetric routes.
As far as which firewalls know about the connection or not depends on
how replication is set up. However the symmetric verses asymmetric
firewalling still applies.
> How is it possible to have only one firewall to handle packets in
> cluster? Is it like in the setup in the testcase
> (http://conntrack-tools.netfilter.org/testcase.html)? If I understand
> it correctly, it means to have only one active firewall/router and
> one passive waiting for failure. How is ti possible to scale to
> higher loads?
Active / passive does not scale. A/P is only meant for redundancy /
protection against one node failing.
> Hm this is interresting - split incoming/outgoing traffic to separate
> routers. Maybe the conntrackd can be used in this scenario. I would
> test it.
According to Pablo's reply to my earlier post, this is apparently not a
good idea to do. Though it sounds like it /may/ work, with some likely
undesired side effects.
Grant. . . .
prev parent reply other threads:[~2008-09-23 20:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-16 14:16 Possibilities and performance of conntrackd, NATing cluster icovnik
2008-09-16 18:42 ` Grant Taylor
2008-09-17 10:34 ` Pablo Neira Ayuso
2008-09-17 21:07 ` Grant Taylor
2008-09-18 7:26 ` julien vehent
2008-09-18 14:25 ` Pablo Neira Ayuso
2008-09-18 14:49 ` Matt Zagrabelny
2008-09-18 15:06 ` Pablo Neira Ayuso
2008-09-18 14:52 ` Michael Schwartzkopff
2008-09-23 10:05 ` icovnik
2008-09-23 20:25 ` Grant Taylor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48D950C7.1000402@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox