Yes, conntrackd, vrrp are being used. They don't handle the actual provisioning of the iptables rules though. There is also non-connection tracking-related configuration (state) that needs to be beamed down to a freshly started router. That happens if the router is started by CloudStack (via the API or HA), but there are other ways (log in and type reboot) that the configuration state on the VR gets out of sync with the CloudStack database.
On 8/21/12 8:56 AM, "Kelceydamage@bbits" <kel...@bbits.ca> wrote: >We are already using an up tables solution I thought: contrackt > >Sent from my iPhone > >On Aug 21, 2012, at 2:05 AM, Matthew Patton <mpat...@inforelay.com> wrote: > >> Please let's not reinvent the wheel. See pfsense, vrrp/carp, and pfsync. >> >> A redundant iptables solution doesn't spring to mind but it already >>exists no doubt.
