OT: Linux/iptables pfsync equivalent
ratz at drugphish.ch
Mon Jun 21 21:19:37 BST 2004
So little time, so much to do ...
> All I could find:
> A reader who is familiar with VRRP will find this is somewhat familiar,
> however there are some significant differences:
> * The CARP protocol is address family independent. The OpenBSD
> implementation supports both IPv4 and IPv6, as a transport for the CARP
> packets as well as common addresses to be shared.
> * CARP has an "arpbalance" feature that allows multiple hosts to
> share a single IP address simultaneously; in this configuration, there
> is a virtual MAC address for each host, but only one IP address.
Alex, how about using this proxy_arp + Julian's 2.6.x arp patches?
> * CARP uses a cryptographically strong SHA-1 HMAC to protect each
This is pseudo-security but would be extremely easy to implement with
the current crypto-API in the 2.6.x kernels.
> And digging around in the OpenBSD CVS:
Alex already solved the TODO list from what I can gather :). Looking at
it however it might be a rather big port. The Linux kernel has a
different notion of distinguishing between IPv4/IPv5/IPv6. And the
crypto stuff would actually be callbacks instead of this implementation.
Those two things already render the whole thing a smallish nightmare to
sync with *BSD.
> I've also seen reference to IP Protocol 21, which is VRRP, so I'm
> guessing they took VRRP and got rid of whatever the patent covered?
Well according to the history they reinvented the wheel (although it's
really hard to imagine to come up with something new):
Some example (you might have found it as well, for others as a reference):
>>> Is there a CARP lib that works with linux? I found ucarp, but it's
>>> all userland tools.
>> If you only need a small throught put then userland is enought, I
>> would said, is the best IMHO. To handle around 20pps is the worst
>> case... :)
> True. My thinking is that, if a libcarp existed, you (or whoever
> maintains CARP for keepalived) wouldn't have to keep up with a userland
> tool's changes.
Another issue is that keepalived + LVS sync tries not to lose sessions
whereas with CARP you'll certainly lose sessions (TCP for sure).
>> If you got some specs please forward then :)
> I've been digging around for an hour now, but I can't find anything
> useful :(
The CARP was design on the mailinglist and on hackathlon as well. We can
ask for the design documents however.
Roberto Nibali, ratz
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
More information about the lvs-users