On Thu, Aug 09, 2007 at 10:27:23AM +0200, sebastien lorandel wrote: > Hi, thanks for your answer David, > > for iptables look into the conntrackd daemon and tools, those would be what > > you > > would use to syncronise the connection table from one firewall to the > > other. > > > Ok, so I don't need to manage iptables with Heartbeat, right? > I think I just have to install iptables and conntrackd and to insert a RA > script for conntrackd like this one: > http://files.rfc2324.org/patches/conntrackd/heartbeat-ressources.d-script
I'm afraid that it won't be that simple. conntrackd operates as a multistate (master-slave) resource, i.e. there's an instance of conntrackd running on both nodes, so you would need to implement both promote and demote operations too. Unfortunately, conntrackd can't say itself if it's a master instance or not, so you'll have to keep track of that in the resource agent. Alternatively, perhaps one could talk to the author and see if it would be possible to implement the state in conntrackd itself (I assume that that would be easier and cleaner). > what do you mean when you say you need to manage ssh sessions? if you mean > > they > > go through the firewall, then the iptables stuff should fix this. if you > > mean > > that people connect to the firewall itself and you want the ssh session to > > failover to the backup, that's not possible. > > I would like to have my ssh user not to be deconnected when sshd fails on a > node and has to be relaunched on another. I wish the session could be kept > safe... I'm not sure if this is possible at all, at least not unless sshd cooperates. You should talk about that with the ssh developers. > And does nobody knows anything about this Stateful RA? > > sébastien Lorandel. > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
