• Pablo Neira Ayuso's avatar
    netfilter: xtables: add cluster match · 0269ea49
    Pablo Neira Ayuso authored
    This patch adds the iptables cluster match. This match can be used
    to deploy gateway and back-end load-sharing clusters. The cluster
    can be composed of 32 nodes maximum (although I have only tested
    this with two nodes, so I cannot tell what is the real scalability
    limit of this solution in terms of cluster nodes).
    
    Assuming that all the nodes see all packets (see below for an
    example on how to do that if your switch does not allow this), the
    cluster match decides if this node has to handle a packet given:
    
    	(jhash(source IP) % total_nodes) & node_mask
    
    For related connections, the master conntrack is used. The following
    is an example of its use to deploy a gateway cluster composed of two
    nodes (where this is the node 1):
    
    iptables -I PREROUTING -t mangle -i eth1 -m cluster \
    	--cluster-total-nodes 2 --cluster-local-node 1 \
    	--cluster-proc-name eth1 -j MARK --set-mark 0xffff
    iptables -A PREROUTING -t mangle -i eth1 \
    	-m mark ! --mark 0xffff -j DROP
    iptables -A PREROUTING -t mangle -i eth2 -m cluster \
    	--cluster-total-nodes 2 --cluster-local-node 1 \
    	--cluster-proc-name eth2 -j MARK --set-mark 0xffff
    iptables -A PREROUTING -t mangle -i eth2 \
    	-m mark ! --mark 0xffff -j DROP
    
    And the following commands to make all nodes see the same packets:
    
    ip maddr add 01:00:5e:00:01:01 dev eth1
    ip maddr add 01:00:5e:00:01:02 dev eth2
    arptables -I OUTPUT -o eth1 --h-length 6 \
    	-j mangle --mangle-mac-s 01:00:5e:00:01:01
    arptables -I INPUT -i eth1 --h-length 6 \
    	--destination-mac 01:00:5e:00:01:01 \
    	-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
    arptables -I OUTPUT -o eth2 --h-length 6 \
    	-j mangle --mangle-mac-s 01:00:5e:00:01:02
    arptables -I INPUT -i eth2 --h-length 6 \
    	--destination-mac 01:00:5e:00:01:02 \
    	-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
    
    In the case of TCP connections, pickup facility has to be disabled
    to avoid marking TCP ACK packets coming in the reply direction as
    valid.
    
    echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
    
    BTW, some final notes:
    
     * This match mangles the skbuff pkt_type in case that it detects
    PACKET_MULTICAST for a non-multicast address. This may be done in
    a PKTTYPE target for this sole purpose.
     * This match supersedes the CLUSTERIP target.
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    0269ea49
Makefile 4.54 KB