source-git / iptables

Clone
Source Code
GIT

Blame extensions/libxt_cluster.man

c8 c8s master
  1.   c8
  2.   extensions
  3.   libxt_cluster.man
Blob History Raw
Packit Service d1fe03 
Allows you to deploy gateway and back-end load-sharing clusters without the
Packit Service d1fe03 
need of load-balancers.
Packit Service d1fe03 
.PP
Packit Service d1fe03 
This match requires that all the nodes see the same packets. Thus, the cluster
Packit Service d1fe03 
match decides if this node has to handle a packet given the following options:
Packit Service d1fe03 
.TP
Packit Service d1fe03 
\fB\-\-cluster\-total\-nodes\fP \fInum\fP
Packit Service d1fe03 
Set number of total nodes in cluster.
Packit Service d1fe03 
.TP
Packit Service d1fe03 
[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
Packit Service d1fe03 
Set the local node number ID.
Packit Service d1fe03 
.TP
Packit Service d1fe03 
[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
Packit Service d1fe03 
Set the local node number ID mask. You can use this option instead
Packit Service d1fe03 
of \fB\-\-cluster\-local\-node\fP.
Packit Service d1fe03 
.TP
Packit Service d1fe03 
\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
Packit Service d1fe03 
Set seed value of the Jenkins hash.
Packit Service d1fe03 
.PP
Packit Service d1fe03 
Example:
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
Packit Service d1fe03 
\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
Packit Service d1fe03 
\-\-cluster\-hash\-seed 0xdeadbeef
Packit Service d1fe03 
\-j MARK \-\-set-mark 0xffff
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
Packit Service d1fe03 
\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
Packit Service d1fe03 
\-\-cluster\-hash\-seed 0xdeadbeef
Packit Service d1fe03 
\-j MARK -\-set\-mark 0xffff
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-A PREROUTING \-t mangle \-i eth1
Packit Service d1fe03 
\-m mark ! \-\-mark 0xffff \-j DROP
Packit Service d1fe03 
.IP
Packit Service d1fe03 
iptables \-A PREROUTING \-t mangle \-i eth2
Packit Service d1fe03 
\-m mark ! \-\-mark 0xffff \-j DROP
Packit Service d1fe03 
.PP
Packit Service d1fe03 
And the following commands to make all nodes see the same packets:
Packit Service d1fe03 
.IP
Packit Service d1fe03 
ip maddr add 01:00:5e:00:01:01 dev eth1
Packit Service d1fe03 
.IP
Packit Service d1fe03 
ip maddr add 01:00:5e:00:01:02 dev eth2
Packit Service d1fe03 
.IP
Packit Service d1fe03 
arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
Packit Service d1fe03 
\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
Packit Service d1fe03 
.IP
Packit Service d1fe03 
arptables \-A INPUT \-i eth1 \-\-h-length 6
Packit Service d1fe03 
\-\-destination-mac 01:00:5e:00:01:01
Packit Service d1fe03 
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
Packit Service d1fe03 
.IP
Packit Service d1fe03 
arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
Packit Service d1fe03 
\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
Packit Service d1fe03 
.IP
Packit Service d1fe03 
arptables \-A INPUT \-i eth2 \-\-h\-length 6
Packit Service d1fe03 
\-\-destination\-mac 01:00:5e:00:01:02
Packit Service d1fe03 
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
Packit Service d1fe03 
.PP
Packit Service d1fe03 
\fBNOTE\fP: the arptables commands above use mainstream syntax. If you
Packit Service d1fe03 
are using arptables-jf included in some RedHat, CentOS and Fedora
Packit Service d1fe03 
versions, you will hit syntax errors. Therefore, you'll have to adapt
Packit Service d1fe03 
these to the arptables-jf syntax to get them working.
Packit Service d1fe03 
.PP
Packit Service d1fe03 
In the case of TCP connections, pickup facility has to be disabled
Packit Service d1fe03 
to avoid marking TCP ACK packets coming in the reply direction as
Packit Service d1fe03 
valid.
Packit Service d1fe03 
.IP
Packit Service d1fe03 
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation