Sorry, couldnt resist - so out of hiding for just a few seconds; should
be able to achieve this much simpler with gact.
Example:
Consider two machines with allowed to receive only packets for 10.0.0.3.
A simple balance scheme is to have even src IPs being processed by one
and odd by another.
#add ingress qdisc to eth2
# Accept arps destined for 10.0.0.3 but sourced from even numbered
# src addresses
tc filter add dev eth2 parent ffff: protocol arp prio 6 u32 match u32
0xa000003 0xffffffff at 24 match u8 0x0 0x1 at 17 flowid 1:2 action ok
# drop any other arps for 10.0.0.3
tc filter add dev eth2 parent ffff: protocol arp prio 7 u32 match u32
0xa000003 0xffffffff at 24 flowid 1:2 action drop
On a second machine which is doing odd just change the u8 to 0x1 0x1.
No need to send fake ARPs using multicast with this. But if you wanted
to be funky you could use pedit to create a virtual MAC address.
We use this well with a lot more complex static rules and failover.
cheers,
jamal (Back to work)
On Thu, 2004-10-21 at 12:36, Harald Welte wrote:
> On Thu, Oct 21, 2004 at 12:38:28AM +0200, Harald Welte wrote:
> Hi Dave!
>
> This is the 'CLUSTERIP' target for iptables, this time no core kernel
> changes required, please apply.
>
> This enables you to build a static load sharing cluster between multiple
> nodes - without the requirement to have a load balancer. It uses a
> series of [evil] tricks like replying with linklayer multicast addresses
> to ARP requests, and using CONNMARK for stateful blocking all traffic
> not intended for the local node.
>
> Apart from the usual netfilter-specific file additions and
> Kconfig/Makefile patches, this needs to export proc_file_operations in
> order to get the reference counting of certain data objects right. I
> hope this change is acceptable.
>
> Signed-off-by: Harald Welte <laforge@xxxxxxxxxxxxx>
|