Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 1 | Allows you to deploy gateway and back-end load-sharing clusters without the |
| 2 | need of load-balancers. |
| 3 | .PP |
| 4 | This match requires that all the nodes see the same packets. Thus, the cluster |
| 5 | match decides if this node has to handle a packet given the following options: |
| 6 | .TP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 7 | \fB\-\-cluster\-total\-nodes\fP \fInum\fP |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 8 | Set number of total nodes in cluster. |
| 9 | .TP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 10 | [\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 11 | Set the local node number ID. |
| 12 | .TP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 13 | [\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 14 | Set the local node number ID mask. You can use this option instead |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 15 | of \fB\-\-cluster\-local\-node\fP. |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 16 | .TP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 17 | \fB\-\-cluster\-hash\-seed\fP \fIvalue\fP |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 18 | Set seed value of the Jenkins hash. |
| 19 | .PP |
| 20 | Example: |
| 21 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 22 | iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster |
| 23 | \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 |
| 24 | \-\-cluster\-hash\-seed 0xdeadbeef |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 25 | \-j MARK \-\-set-mark 0xffff |
| 26 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 27 | iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster |
| 28 | \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 |
| 29 | \-\-cluster\-hash\-seed 0xdeadbeef |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 30 | \-j MARK -\-set\-mark 0xffff |
| 31 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 32 | iptables \-A PREROUTING \-t mangle \-i eth1 |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 33 | \-m mark ! \-\-mark 0xffff \-j DROP |
| 34 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 35 | iptables \-A PREROUTING \-t mangle \-i eth2 |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 36 | \-m mark ! \-\-mark 0xffff \-j DROP |
| 37 | .PP |
| 38 | And the following commands to make all nodes see the same packets: |
| 39 | .IP |
| 40 | ip maddr add 01:00:5e:00:01:01 dev eth1 |
| 41 | .IP |
| 42 | ip maddr add 01:00:5e:00:01:02 dev eth2 |
| 43 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 44 | arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 45 | \-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01 |
| 46 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 47 | arptables \-A INPUT \-i eth1 \-\-h-length 6 |
| 48 | \-\-destination-mac 01:00:5e:00:01:01 |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 49 | \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 |
| 50 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 51 | arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 52 | \-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02 |
| 53 | .IP |
Jan Engelhardt | 18c475d | 2009-06-10 20:18:43 +0200 | [diff] [blame^] | 54 | arptables \-A INPUT \-i eth2 \-\-h\-length 6 |
| 55 | \-\-destination\-mac 01:00:5e:00:01:02 |
Pablo Neira Ayuso | cd958a6 | 2009-05-06 13:01:20 +0200 | [diff] [blame] | 56 | \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27 |
| 57 | .PP |
| 58 | In the case of TCP connections, pickup facility has to be disabled |
| 59 | to avoid marking TCP ACK packets coming in the reply direction as |
| 60 | valid. |
| 61 | .IP |
| 62 | echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose |