On 8/9/07, Dejan Muhamedagic <[EMAIL PROTECTED]> wrote: > > On Thu, Aug 09, 2007 at 10:27:23AM +0200, sebastien lorandel wrote: > > Hi, thanks for your answer David, > > > > for iptables look into the conntrackd daemon and tools, those would be > what > > > you > > > would use to syncronise the connection table from one firewall to the > > > other. > > > > > Ok, so I don't need to manage iptables with Heartbeat, right? > > I think I just have to install iptables and conntrackd and to insert a > RA > > script for conntrackd like this one: > > > http://files.rfc2324.org/patches/conntrackd/heartbeat-ressources.d-script > > I'm afraid that it won't be that simple. conntrackd operates as a > multistate (master-slave) resource, i.e. there's an instance of > conntrackd running on both nodes, so you would need to implement > both promote and demote operations too. Unfortunately, conntrackd > can't say itself if it's a master instance or not, so you'll have > to keep track of that in the resource agent. Alternatively, > perhaps one could talk to the author and see if it would be > possible to implement the state in conntrackd itself (I assume > that that would be easier and cleaner).
Ok I will try by myself and also ask on the netfilter mailig list if somebody has a clue. Did anybody here ever tried to install a conntrackd RA on it's heartbeat cluster? > what do you mean when you say you need to manage ssh sessions? if you mean > > > they > > > go through the firewall, then the iptables stuff should fix this. if > you > > > mean > > > that people connect to the firewall itself and you want the ssh > session to > > > failover to the backup, that's not possible. > > > > I would like to have my ssh user not to be deconnected when sshd fails > on a > > node and has to be relaunched on another. I wish the session could be > kept > > safe... > > I'm not sure if this is possible at all, at least not unless sshd > cooperates. You should talk about that with the ssh developers. Ok thanks. > And does nobody knows anything about this Stateful RA? > > > > sébastien Lorandel. > > -- Sébastien Lorandel _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
