q3k/linux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux/net/netfilter
History
Pablo Neira Ayuso 0269ea4937 netfilter: xtables: add cluster match 
This patch adds the iptables cluster match. This match can be used
to deploy gateway and back-end load-sharing clusters. The cluster
can be composed of 32 nodes maximum (although I have only tested
this with two nodes, so I cannot tell what is the real scalability
limit of this solution in terms of cluster nodes).

Assuming that all the nodes see all packets (see below for an
example on how to do that if your switch does not allow this), the
cluster match decides if this node has to handle a packet given:

	(jhash(source IP) % total_nodes) & node_mask

For related connections, the master conntrack is used. The following
is an example of its use to deploy a gateway cluster composed of two
nodes (where this is the node 1):

iptables -I PREROUTING -t mangle -i eth1 -m cluster \
	--cluster-total-nodes 2 --cluster-local-node 1 \
	--cluster-proc-name eth1 -j MARK --set-mark 0xffff
iptables -A PREROUTING -t mangle -i eth1 \
	-m mark ! --mark 0xffff -j DROP
iptables -A PREROUTING -t mangle -i eth2 -m cluster \
	--cluster-total-nodes 2 --cluster-local-node 1 \
	--cluster-proc-name eth2 -j MARK --set-mark 0xffff
iptables -A PREROUTING -t mangle -i eth2 \
	-m mark ! --mark 0xffff -j DROP

And the following commands to make all nodes see the same packets:

ip maddr add 01:00:5e:00:01:01 dev eth1
ip maddr add 01:00:5e:00:01:02 dev eth2
arptables -I OUTPUT -o eth1 --h-length 6 \
	-j mangle --mangle-mac-s 01:00:5e:00:01:01
arptables -I INPUT -i eth1 --h-length 6 \
	--destination-mac 01:00:5e:00:01:01 \
	-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
arptables -I OUTPUT -o eth2 --h-length 6 \
	-j mangle --mangle-mac-s 01:00:5e:00:01:02
arptables -I INPUT -i eth2 --h-length 6 \
	--destination-mac 01:00:5e:00:01:02 \
	-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27

In the case of TCP connections, pickup facility has to be disabled
to avoid marking TCP ACK packets coming in the reply direction as
valid.

echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

BTW, some final notes:

 * This match mangles the skbuff pkt_type in case that it detects
PACKET_MULTICAST for a non-multicast address. This may be done in
a PKTTYPE target for this sole purpose.
 * This match supersedes the CLUSTERIP target.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-03-16 17:10:36 +01:00
..
ipvs net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
core.c netfilter: remove unneeded goto 2009-02-18 16:29:08 +01:00
Kconfig netfilter: xtables: add cluster match 2009-03-16 17:10:36 +01:00
Makefile netfilter: xtables: add cluster match 2009-03-16 17:10:36 +01:00
nf_conntrack_acct.c net: '&' redux 2008-11-03 18:21:05 -08:00
nf_conntrack_amanda.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_core.c netfilter: nf_conntrack: account packets drop by tcp_packet() 2009-02-24 14:48:01 +01:00
nf_conntrack_ecache.c netfilter: ctnetlink: deliver events for conntracks changed from userspace 2008-11-18 11:56:20 +01:00
nf_conntrack_expect.c netfilter: fix hardcoded size assumptions 2009-02-20 10:48:06 +01:00
nf_conntrack_extend.c netfilter: nf_conntrack_extend: avoid unnecessary "ct->ext" dereferences 2008-07-26 17:50:05 -07:00
nf_conntrack_ftp.c netfilter: fix warning in net/netfilter/nf_conntrack_ftp.c 2008-11-25 18:23:03 +01:00
nf_conntrack_h323_asn1.c [NETFILTER]: nf_conntrack_h323: constify and annotate H.323 helper 2008-01-31 19:28:07 -08:00
nf_conntrack_h323_main.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_h323_types.c [NETFILTER]: nf_conntrack_h323: constify and annotate H.323 helper 2008-01-31 19:28:07 -08:00
nf_conntrack_helper.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2008-11-28 02:19:15 -08:00
nf_conntrack_irc.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_l3proto_generic.c [NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l3proto 2008-04-14 11:15:52 +02:00
nf_conntrack_netbios_ns.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_netlink.c netfilter: ctnetlink: move event reporting for new entries outside the lock 2009-03-16 15:28:09 +01:00
nf_conntrack_pptp.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_conntrack_proto.c netfilter: netns ct: walk netns list under RTNL 2008-11-05 03:03:18 -08:00
nf_conntrack_proto_dccp.c net: netfilter conntrack - add per-net functionality for DCCP protocol 2009-03-16 16:30:49 +01:00
nf_conntrack_proto_generic.c netfilter: change generic l4 protocol number 2009-02-18 16:28:35 +01:00
nf_conntrack_proto_gre.c netfilter: nf_conntrack_proto_gre: spread __exit 2008-11-20 10:01:37 +01:00
nf_conntrack_proto_sctp.c netfilter: nf_conntrack_proto_sctp: avoid bogus warning 2008-11-24 13:47:21 +01:00
nf_conntrack_proto_tcp.c netfilter: remove IPvX specific parts from nf_conntrack_l4proto.h 2009-03-16 15:15:35 +01:00
nf_conntrack_proto_udp.c netfilter: remove IPvX specific parts from nf_conntrack_l4proto.h 2009-03-16 15:15:35 +01:00
nf_conntrack_proto_udplite.c net: '&' redux 2008-11-03 18:21:05 -08:00
nf_conntrack_sane.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_sip.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_conntrack_standalone.c cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits: net 2008-12-29 22:44:47 -08:00
nf_conntrack_tftp.c netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17 16:01:42 +01:00
nf_internals.h netfilter: Use unsigned types for hooknum and pf vars 2008-10-08 11:35:00 +02:00
nf_log.c netfilter: print the list of register loggers 2009-03-16 14:55:27 +01:00
nf_queue.c netfilter: Introduce NFPROTO_* constants 2008-10-08 11:35:00 +02:00
nf_sockopt.c netfilter: enable netfilter in netns 2008-10-08 11:35:11 +02:00
nf_tproxy_core.c net: Partially allow skb destructors to be used on receive path 2009-02-04 16:55:27 -08:00
nfnetlink.c net: Remove CONFIG_KMOD from net/ (towards removing CONFIG_KMOD entirely) 2008-10-16 15:24:51 -07:00
nfnetlink_log.c netfilter: use a linked list of loggers 2009-03-16 14:54:21 +01:00
nfnetlink_queue.c netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-19 22:34:43 -07:00
x_tables.c netfilter: iptables: lock free counters 2009-02-20 10:35:32 +01:00
xt_CLASSIFY.c netfilter: xtables: move extension arguments into compound structure (4/6) 2008-10-08 11:35:19 +02:00
xt_cluster.c netfilter: xtables: add cluster match 2009-03-16 17:10:36 +01:00
xt_comment.c netfilter: xtables: use NFPROTO_UNSPEC in more extensions 2008-10-08 11:35:20 +02:00
xt_connbytes.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_connlimit.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_CONNMARK.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_connmark.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_CONNSECMARK.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_conntrack.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_dccp.c nf/dccp: merge errorpaths 2008-12-14 23:19:02 -08:00
xt_dscp.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
xt_DSCP.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
xt_esp.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
xt_hashlimit.c netfilter: xt_hashlimit fix 2009-02-24 15:30:29 +01:00
xt_helper.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_hl.c netfilter: Combine ipt_ttl and ip6t_hl source 2009-02-18 18:39:31 +01:00
xt_HL.c netfilter: Combine ipt_TTL and ip6t_HL source 2009-02-18 18:38:40 +01:00
xt_iprange.c net: replace NIPQUAD() in net/netfilter/ 2008-10-31 00:54:29 -07:00
xt_LED.c netfilter: x_tables: add LED trigger target 2009-02-20 10:55:14 +01:00
xt_length.c netfilter: xtables: move extension arguments into compound structure (1/6) 2008-10-08 11:35:18 +02:00
xt_limit.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_mac.c netfilter: xtables: use NFPROTO_UNSPEC in more extensions 2008-10-08 11:35:20 +02:00
xt_mark.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
xt_MARK.c netfilter: xtables: use NFPROTO_UNSPEC in more extensions 2008-10-08 11:35:20 +02:00
xt_multiport.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
xt_NFLOG.c netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module. 2008-11-04 14:21:08 +01:00
xt_NFQUEUE.c netfilter: replace old NF_ARP calls with NFPROTO_ARP 2008-10-20 03:34:51 -07:00
xt_NOTRACK.c netfilter: xtables: use NFPROTO_UNSPEC in more extensions 2008-10-08 11:35:20 +02:00
xt_owner.c CRED: Use creds in file structs 2008-11-14 10:39:25 +11:00
xt_physdev.c netfilter: xt_physdev: unfold two loops in physdev_mt() 2009-02-19 11:17:17 +01:00
xt_pkttype.c netfilter: xtables: cut down on static data for family-independent extensions 2008-10-08 11:35:20 +02:00
xt_policy.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
xt_quota.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_RATEEST.c netfilter: xtables: move extension arguments into compound structure (6/6) 2008-10-08 11:35:19 +02:00
xt_rateest.c netfilter: xtables: move extension arguments into compound structure (3/6) 2008-10-08 11:35:19 +02:00
xt_realm.c netfilter: xtables: use NFPROTO_UNSPEC in more extensions 2008-10-08 11:35:20 +02:00
xt_recent.c netfilter: xt_recent: don't save proc dirs 2008-11-20 09:57:01 +01:00
xt_sctp.c netfilter: xt_sctp: sctp chunk mapping doesn't work 2009-02-09 14:34:56 -08:00
xt_SECMARK.c netfilter: xtables: move extension arguments into compound structure (6/6) 2008-10-08 11:35:19 +02:00
xt_socket.c tproxy: fixe a possible read from an invalid location in the socket match 2008-12-07 23:53:46 -08:00
xt_state.c netfilter: xtables: move extension arguments into compound structure (3/6) 2008-10-08 11:35:19 +02:00
xt_statistic.c netfilter: xtables: avoid pointer to self 2009-03-16 15:35:29 +01:00
xt_string.c netfilter: xtables: move extension arguments into compound structure (3/6) 2008-10-08 11:35:19 +02:00
xt_TCPMSS.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
xt_tcpmss.c netfilter: xtables: move extension arguments into compound structure (1/6) 2008-10-08 11:35:18 +02:00
xt_TCPOPTSTRIP.c netfilter: xtables: move extension arguments into compound structure (4/6) 2008-10-08 11:35:19 +02:00
xt_tcpudp.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
xt_time.c netfilter 08/09: xt_time: print timezone for user information 2009-01-12 21:18:36 -08:00
xt_TPROXY.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
xt_TRACE.c netfilter: xtables: move extension arguments into compound structure (4/6) 2008-10-08 11:35:19 +02:00
xt_u32.c netfilter: xtables: move extension arguments into compound structure (1/6) 2008-10-08 11:35:18 +02:00