On 2008-10-13T17:17:44, Lars Ellenberg <[EMAIL PROTECTED]> wrote:
> > Yes, really a pretty cool idea - one of those where one wonders how we
> > failed to come up with it in the past ;-)
> btw, if we replicate the connection state (using contrackd), we don't
> need tickle acks, we can send the RST directly using e.g. cutter (minus
> its sanity check filtering out local addresses).
I had a discussion with Harald Welte on this topic on the weekend.
He recommended to not use conntrackd (unless we really want to fail-over
complete firewalls), as that is replicating much more state than we
need, and not as scalable.
All we really need to track is connections which are successfully
established and tear-down; not a lot of state.
With openAIS, that should be really simple, as we have high-performance
ordered messaging.
1. On connection established, track {ips, ports, owner_host}
2. On connection tear-down, discard record.
3. When owner_host goes down, send tickle-acks for affected connections
and discard them.
4. When owner_host stops serving the IP (cleanly), it can send the
tickle acks itself and discard the connections. (It would be interesting
to see how many TCP services don't terminate all connections ;-)
Regards,
Lars
--
Teamlead Kernel, SuSE Labs, Research and Development
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wilde
_______________________________________________________
Linux-HA-Dev: [email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
