0269ea4937
This patch adds the iptables cluster match. This match can be used to deploy gateway and back-end load-sharing clusters. The cluster can be composed of 32 nodes maximum (although I have only tested this with two nodes, so I cannot tell what is the real scalability limit of this solution in terms of cluster nodes). Assuming that all the nodes see all packets (see below for an example on how to do that if your switch does not allow this), the cluster match decides if this node has to handle a packet given: (jhash(source IP) % total_nodes) & node_mask For related connections, the master conntrack is used. The following is an example of its use to deploy a gateway cluster composed of two nodes (where this is the node 1): iptables -I PREROUTING -t mangle -i eth1 -m cluster \ --cluster-total-nodes 2 --cluster-local-node 1 \ --cluster-proc-name eth1 -j MARK --set-mark 0xffff iptables -A PREROUTING -t mangle -i eth1 \ -m mark ! --mark 0xffff -j DROP iptables -A PREROUTING -t mangle -i eth2 -m cluster \ --cluster-total-nodes 2 --cluster-local-node 1 \ --cluster-proc-name eth2 -j MARK --set-mark 0xffff iptables -A PREROUTING -t mangle -i eth2 \ -m mark ! --mark 0xffff -j DROP And the following commands to make all nodes see the same packets: ip maddr add 01:00:5e:00:01:01 dev eth1 ip maddr add 01:00:5e:00:01:02 dev eth2 arptables -I OUTPUT -o eth1 --h-length 6 \ -j mangle --mangle-mac-s 01:00:5e:00:01:01 arptables -I INPUT -i eth1 --h-length 6 \ --destination-mac 01:00:5e:00:01:01 \ -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27 arptables -I OUTPUT -o eth2 --h-length 6 \ -j mangle --mangle-mac-s 01:00:5e:00:01:02 arptables -I INPUT -i eth2 --h-length 6 \ --destination-mac 01:00:5e:00:01:02 \ -j mangle --mangle-mac-d 00:zz:yy:xx:5a:27 In the case of TCP connections, pickup facility has to be disabled to avoid marking TCP ACK packets coming in the reply direction as valid. echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose BTW, some final notes: * This match mangles the skbuff pkt_type in case that it detects PACKET_MULTICAST for a non-multicast address. This may be done in a PKTTYPE target for this sole purpose. * This match supersedes the CLUSTERIP target. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> |
||
|---|---|---|
| .. | ||
| Kbuild | ||
| nf_conntrack_amanda.h | ||
| nf_conntrack_common.h | ||
| nf_conntrack_dccp.h | ||
| nf_conntrack_ftp.h | ||
| nf_conntrack_h323.h | ||
| nf_conntrack_h323_asn1.h | ||
| nf_conntrack_h323_types.h | ||
| nf_conntrack_irc.h | ||
| nf_conntrack_pptp.h | ||
| nf_conntrack_proto_gre.h | ||
| nf_conntrack_sane.h | ||
| nf_conntrack_sctp.h | ||
| nf_conntrack_sip.h | ||
| nf_conntrack_tcp.h | ||
| nf_conntrack_tftp.h | ||
| nf_conntrack_tuple_common.h | ||
| nfnetlink.h | ||
| nfnetlink_compat.h | ||
| nfnetlink_conntrack.h | ||
| nfnetlink_log.h | ||
| nfnetlink_queue.h | ||
| x_tables.h | ||
| xt_CLASSIFY.h | ||
| xt_cluster.h | ||
| xt_comment.h | ||
| xt_connbytes.h | ||
| xt_connlimit.h | ||
| xt_CONNMARK.h | ||
| xt_connmark.h | ||
| xt_CONNSECMARK.h | ||
| xt_conntrack.h | ||
| xt_dccp.h | ||
| xt_DSCP.h | ||
| xt_dscp.h | ||
| xt_esp.h | ||
| xt_hashlimit.h | ||
| xt_helper.h | ||
| xt_iprange.h | ||
| xt_LED.h | ||
| xt_length.h | ||
| xt_limit.h | ||
| xt_mac.h | ||
| xt_mark.h | ||
| xt_MARK.h | ||
| xt_multiport.h | ||
| xt_NFLOG.h | ||
| xt_NFQUEUE.h | ||
| xt_owner.h | ||
| xt_physdev.h | ||
| xt_pkttype.h | ||
| xt_policy.h | ||
| xt_quota.h | ||
| xt_RATEEST.h | ||
| xt_rateest.h | ||
| xt_realm.h | ||
| xt_recent.h | ||
| xt_sctp.h | ||
| xt_SECMARK.h | ||
| xt_state.h | ||
| xt_statistic.h | ||
| xt_string.h | ||
| xt_TCPMSS.h | ||
| xt_tcpmss.h | ||
| xt_TCPOPTSTRIP.h | ||
| xt_tcpudp.h | ||
| xt_time.h | ||
| xt_TPROXY.h | ||
| xt_u32.h | ||