On Wed, May 31, 2000 at 04:58:50PM +0100, Anton Ivanov wrote:
> balancers. Behind them you have N boxen that are connected to each
> firewall/load balancer. You _do_not_ run routing protocol and use default or
> statics. In this case you need to answer on the interface where you have been
> asked in order to obey state in the firewall/load balancer.
>
> This design has quite a few ugly points of failure. And it does not achieve
> what is wanted. IMHO: use routing protocol + loopback aliases instead.
>
> Coming back to the b0rken design. In order to implement it it is necessary to
> do a queueing discipline (return same or something like that). To be honest I
> have no idea if all the info in order to implement this queueing discipline is
> present in the current data structures. I have not had any time to have a look
> at recent 2.3.x. - 2.4.s.
You don't need a queueing discipline. As a quick hack you could just
set newsk->bound_dev_if in tcp_v4_syn_recv_sock() [actually it'll reject
packets for these connections then on other interfaces, because bound_dev_if
is used in the incoming socket hash -- to prevent that split the field
in output and input bound_dev)
The clean way is to change the statefull load balancers to include loose
source routing options in the SYNs -- loose source routing is really what
you want. You would probably need to filter them out on output again
though, to prevent many routers from dropping your packets.
Another way would be to add NAT rules on them to send to unique destination
addresses, with appropiate policy routes on the host.
If it is worth to have these hacks I have my doubts.
-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed May 31 2000 - 21:00:27 EST