> conntrackd permit to also share TCP states between boxes that will > also run iptables
With conntrackd-syncing you just allow the packet to pass the iptables barrier; but the session will still be dropped by the OS because the TCP stack doesn't know the socket, and so does not the application. To do this you would need something like TCP connection repair [1], but that requires support in both the kernel and userspace. While this crazy feature seems to have made it into the 3.5 kernel, I'm not aware that this is supported in haproxy. In fact, while rethinking, I'm not sure TCP connection repair can be used for failover anyway, its just a technology to move the TCP session from one host to another gracefully, but it requires both hosts to be alive afaik - so it doesn't make sense for failover. > HAProxy can share as of 1.5 its connection table, which is really a > appreciated feature :) HAProxy can share stick-tables [2], but that doesn't mean you can implement stateful failover. If you want to do this with haproxy, you will probably need to drop the idea of stateful failover, imho, no user-space software can accomplish this. On the other side, if maintaining the TCP sessions when a failover occurs is a requirement for you, you should stick to LVS + conntrack syncing, as thats probably possible. Of course you can work only up to Layer 4 and won't see the application Layer on your load-balancer. Lukas [1] https://lwn.net/Articles/495304/ [2] http://cbonte.github.com/haproxy-dconv/configuration-1.5.html#3.5
