diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/manual/conntrack-tools.tmpl | 17 | ||||
-rw-r--r-- | doc/sync/notrack/README | 16 | ||||
-rw-r--r-- | doc/sync/notrack/conntrackd.conf | 120 |
3 files changed, 80 insertions, 73 deletions
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 4936a76..40c331c 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -573,20 +573,27 @@ Sync { </sect3> <sect3 id="sync-transport-protocol"> -<title>Using UDP, TCP or multicast for flow-state synchronization</title> + +<title>Using UDP, multicast, TCP or TIPC for flow-state synchronization</title> <para>You can use up to three different transport layer protocols to - synchronize flow-state changes between the firewalls: UDP, TCP and - Multicast. UDP and multicast are unreliable but together with the FT-FW - mode provide partial reliable flow-state synchronization. + synchronize flow-state changes between the firewalls: UDP, TCP, Multicast and +TIPC. UDP and multicast are unreliable but together with the FT-FW + mode provide partial reliable flow-state synchronization. TIPC provides a +connectionless yet reliable message-based delivery system. </para> - <para>The preferred choice is FT-FW over UDP, or multicast alternatively. + <para>The preferred choice is FT-FW over UDP unicast/multicast, or TIPC alternatively. TCP introduces latency in the flow-state synchronization due to the congestion control. Under flow-state message are lost, the FIFO delivery becomes also a problem since the backup firewall quickly gets out of sync. For that reason, its use is discouraged. Note that using TCP only makes sense with the NOTRACK mode. + TIPC provides some kind of link level sequencing in order to guarantee succesfull + delivery of messages between nodes in the cluster. Hence, it is recommended to use it + along with NOTRACK mode to minimise protocol overhead on the firewalls dedicated link. + Further informations on how to configure TIPC can be found in the README file under + the doc/notrack/ directory </para> </sect3> diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README index b064e21..e7afcc7 100644 --- a/doc/sync/notrack/README +++ b/doc/sync/notrack/README @@ -1,3 +1,13 @@ -This directory contains the files for the NOTRACK replication protocol. This -protocol provides best effort delivery. Therefore, it is unreliable unless -that you select TCP-based state-synchronization. +Installation instructions : + +TIPC is a built-in kernel module since kernel version 2.6.35 ; please make sure your using a => 2.6.35 kernel with TIPC 2.0, as this patch has not been tested with older versions of the protocol yet. + +For easy and fast configuration, you must install the TIPC utilies v2.0.0, available from sources here : + + git://tipc.git.sourceforge.net/gitroot/tipc/tipcutils (branch tipcutils2.0) + +or by using aptitude on debian distributions : + + sudo apt-get install tipcutils + +For further details on installation, node and network configuration, please refer to the online documentation : http://tipc.sourceforge.net/doc/tipc_2.0_users_guide.html#installation. diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 34e7b32..71946ec 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -4,6 +4,17 @@ Sync { Mode NOTRACK { # + # Size of the resend queue (in objects). This is the maximum + # number of objects that can be stored waiting to be confirmed + # via acknoledgment. If you keep this value low, the daemon + # will have less chances to recover state-changes under message + # omission. On the other hand, if you keep this value high, + # the daemon will consume more memory to store dead objects. + # Default is 131072 objects. + # + # ResendQueueSize 131072 + + # # This parameter allows you to set an initial fixed timeout # for the committed entries when this node goes from backup # to primary. This mechanism provides a way to purge entries @@ -26,14 +37,19 @@ Sync { # # PurgeTimeout 60 + # Set the acknowledgement window size. If you decrease this + # value, the number of acknowlegdments increases. More + # acknowledgments means more overhead as conntrackd has to + # handle more control messages. On the other hand, if you + # increase this value, the resend queue gets more populated. + # This results in more overhead in the queue releasing. + # The following value is based on some practical experiments + # measuring the cycles spent by the acknowledgment handling + # with oprofile. If not set, default window size is 300. # - # This clause allows you to disable the internal cache. Thus, - # the synchronization messages are directly send through - # the dedicated link. This option is set of off by default. - # - # DisableInternalCache Off + # ACKWindowSize 300 - # + # # This clause allows you to disable the external cache. Thus, # the state entries are directly injected into the kernel # conntrack table. As a result, you save memory in user-space @@ -57,33 +73,33 @@ Sync { # iptables -I INPUT -d 225.0.0.50 -j ACCEPT # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT # - Multicast { + # Multicast { # # Multicast address: The address that you use as destination # in the synchronization messages. You do not have to add # this IP to any of your existing interfaces. If any doubt, # do not modify this value. # - IPv4_address 225.0.0.50 + # IPv4_address 225.0.0.50 # # The multicast group that identifies the cluster. If any # doubt, do not modify this value. # - Group 3780 + # Group 3780 # # IP address of the interface that you are going to use to # send the synchronization messages. Remember that you must # use a dedicated link for the synchronization messages. # - IPv4_interface 192.168.100.100 + # IPv4_interface 192.168.100.100 # # The name of the interface that you are going to use to # send the synchronization messages. # - Interface eth2 + # Interface eth2 # The multicast sender uses a buffer to enqueue the packets # that are going to be transmitted. The default size of this @@ -94,10 +110,8 @@ Sync { # notice some packet loss, you may want to increase the size # of the sender buffer. The default size is usually around # ~100 KBytes which is fairly small for busy firewalls. - # Note: This protocol is best effort, it is really recommended - # to increase the buffer size. # - SndSocketBuffer 1249280 + # SndSocketBuffer 1249280 # The multicast receiver uses a buffer to enqueue the packets # that the socket is pending to handle. The default size of this @@ -106,20 +120,18 @@ Sync { # receiver queue. The overrun results packet loss, thus, losing # state information that would have to be retransmitted. If you # notice some packet loss, you may want to increase the size of - # of the sender buffer. The default size is usually around + # the receiver buffer. The default size is usually around # ~100 KBytes which is fairly small for busy firewalls. - # Note: This protocol is best effort, it is really recommended - # to increase the buffer size. # - RcvSocketBuffer 1249280 + # RcvSocketBuffer 1249280 - # + # # Enable/Disable message checksumming. This is a good # property to achieve fault-tolerance. In case of doubt, do # not modify this value. # - Checksum on - } + # Checksum on + # } # # You can specify more than one dedicated link. Thus, if one dedicated # link fails, conntrackd can fail-over to another. Note that adding @@ -192,60 +204,37 @@ Sync { # Checksum on # } - # - # You can also use Unicast TCP to propagate events. Thus, the NOTRACK - # mode becomes reliable. - # - # TCP { - # - # TCP address that this firewall uses to listen to events. - # - # IPv4_address 192.168.2.100 - # - # or you may want to use an IPv6 address: - # - # IPv6_address fe80::215:58ff:fe28:5a27 - - # - # Destination TCP address that receives events, ie. the other - # firewall's dedicated link address. + TIPC { # - # IPv4_Destination_Address 192.168.2.101 + # Name of the other TIPC port in the cluster (in the form type:instance) # - # or you may want to use an IPv6 address: + TIPC_Destination_Name 1000:51 + # - # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c - + # Name of the local TIPC port (used to listen to events) # - # TCP port used - # - # Port 3780 + TIPC_Name 1000:50 # - # The name of the interface that you are going to use to - # send the synchronization messages. - # - # Interface eth2 - - # - # The sender socket buffer size + # The name of the TIPC configured interface that you are going to use + # to send synchronization messages. # - # SndSocketBuffer 1249280 - + Interface eth0 + # - # The receiver socket buffer size + # The importance of the TIPC messages sent (the more important this is, the more packets will be enabled to queue up on the slave) + # This should be set to High or Critical to avoid congestion on the receiver side. + # (possible values : TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE, TIPC_HIGH_IMPORTANCE, TIPC_CRITICAL_IMPROTANCE) # - # RcvSocketBuffer 1249280 + TIPC_Message_Importance TIPC_CRITICAL_IMPORTANCE - # - # Enable/Disable message checksumming. # - # Checksum on - # } + # Current TIPC implementation doesnt allow checksumming + } - # + # # Other unsorted options that are related to the synchronization. - # + # # Options { # # TCP state-entries have window tracking disabled by default, @@ -259,9 +248,9 @@ Sync { # you want to enable. Default is off. # # ExpectationSync { - # ftp - # h323 - # sip + # ftp + # h323 + # sip # } # # You can use this alternatively: @@ -368,6 +357,7 @@ General { # # NetlinkOverrunResync On + # # If you want reliable event reporting over Netlink, set on this # option. If you set on this clause, it is a good idea to set off # NetlinkOverrunResync. This option is off by default and you need |