linux/include
Pablo Neira Ayuso 0269ea4937 netfilter: xtables: add cluster match
This patch adds the iptables cluster match. This match can be used
to deploy gateway and back-end load-sharing clusters. The cluster
can be composed of 32 nodes maximum (although I have only tested
this with two nodes, so I cannot tell what is the real scalability
limit of this solution in terms of cluster nodes).

Assuming that all the nodes see all packets (see below for an
example on how to do that if your switch does not allow this), the
cluster match decides if this node has to handle a packet given:

	(jhash(source IP) % total_nodes) & node_mask

For related connections, the master conntrack is used. The following
is an example of its use to deploy a gateway cluster composed of two
nodes (where this is the node 1):

iptables -I PREROUTING -t mangle -i eth1 -m cluster \
	--cluster-total-nodes 2 --cluster-local-node 1 \
	--cluster-proc-name eth1 -j MARK --set-mark 0xffff
iptables -A PREROUTING -t mangle -i eth1 \
	-m mark ! --mark 0xffff -j DROP
iptables -A PREROUTING -t mangle -i eth2 -m cluster \
	--cluster-total-nodes 2 --cluster-local-node 1 \
	--cluster-proc-name eth2 -j MARK --set-mark 0xffff
iptables -A PREROUTING -t mangle -i eth2 \
	-m mark ! --mark 0xffff -j DROP

And the following commands to make all nodes see the same packets:

ip maddr add 01:00:5e:00:01:01 dev eth1
ip maddr add 01:00:5e:00:01:02 dev eth2
arptables -I OUTPUT -o eth1 --h-length 6 \
	-j mangle --mangle-mac-s 01:00:5e:00:01:01
arptables -I INPUT -i eth1 --h-length 6 \
	--destination-mac 01:00:5e:00:01:01 \
	-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27
arptables -I OUTPUT -o eth2 --h-length 6 \
	-j mangle --mangle-mac-s 01:00:5e:00:01:02
arptables -I INPUT -i eth2 --h-length 6 \
	--destination-mac 01:00:5e:00:01:02 \
	-j mangle --mangle-mac-d 00:zz:yy:xx:5a:27

In the case of TCP connections, pickup facility has to be disabled
to avoid marking TCP ACK packets coming in the reply direction as
valid.

echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

BTW, some final notes:

 * This match mangles the skbuff pkt_type in case that it detects
PACKET_MULTICAST for a non-multicast address. This may be done in
a PKTTYPE target for this sole purpose.
 * This match supersedes the CLUSTERIP target.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-03-16 17:10:36 +01:00
..
acpi ACPI: Enable bit 11 in _PDC to advertise hw coord 2009-02-07 00:41:14 -05:00
asm-arm
asm-frv net: new user space API for time stamping of incoming and outgoing packets 2009-02-15 22:43:33 -08:00
asm-generic Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-01-26 09:47:28 -08:00
asm-h8300
asm-m32r net: new user space API for time stamping of incoming and outgoing packets 2009-02-15 22:43:33 -08:00
asm-mn10300 net: new user space API for time stamping of incoming and outgoing packets 2009-02-15 22:43:33 -08:00
crypto crypto: shash - Fix tfm destruction 2009-02-05 16:51:25 +11:00
drm drm/i915: add fence register management to execbuf 2009-02-08 21:38:02 +10:00
keys
linux netfilter: xtables: add cluster match 2009-03-16 17:10:36 +01:00
math-emu
media Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 2009-02-02 19:26:06 -08:00
mtd headers_check fix: mtd/inftl-user.h 2009-01-31 00:13:34 +05:30
net netfilter: remove IPvX specific parts from nf_conntrack_l4proto.h 2009-03-16 15:15:35 +01:00
pcmcia
rdma net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
rxrpc
scsi [SCSI] iscsi_tcp: make padbuf non-static 2009-01-13 10:41:34 -06:00
sound headers_check fix: sound/hdsp.h 2009-01-31 00:13:56 +05:30
trace
video atyfb: fix CONFIG_ namespace violations 2009-02-05 12:56:48 -08:00
xen xen: add xenfs to allow usermode <-> Xen interaction 2009-01-08 08:30:59 -08:00
Kbuild