summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/manual/conntrack-tools.tmpl17
-rw-r--r--doc/sync/notrack/README16
-rw-r--r--doc/sync/notrack/conntrackd.conf120
3 files changed, 80 insertions, 73 deletions
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 4936a76..40c331c 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -573,20 +573,27 @@ Sync {
</sect3>
<sect3 id="sync-transport-protocol">
-<title>Using UDP, TCP or multicast for flow-state synchronization</title>
+
+<title>Using UDP, multicast, TCP or TIPC for flow-state synchronization</title>
<para>You can use up to three different transport layer protocols to
- synchronize flow-state changes between the firewalls: UDP, TCP and
- Multicast. UDP and multicast are unreliable but together with the FT-FW
- mode provide partial reliable flow-state synchronization.
+ synchronize flow-state changes between the firewalls: UDP, TCP, Multicast and
+TIPC. UDP and multicast are unreliable but together with the FT-FW
+ mode provide partial reliable flow-state synchronization. TIPC provides a
+connectionless yet reliable message-based delivery system.
</para>
- <para>The preferred choice is FT-FW over UDP, or multicast alternatively.
+ <para>The preferred choice is FT-FW over UDP unicast/multicast, or TIPC alternatively.
TCP introduces latency in the flow-state synchronization due to the
congestion control. Under flow-state message are lost, the FIFO delivery
becomes also a problem since the backup firewall quickly gets out of
sync. For that reason, its use is discouraged. Note that using TCP only
makes sense with the NOTRACK mode.
+ TIPC provides some kind of link level sequencing in order to guarantee succesfull
+ delivery of messages between nodes in the cluster. Hence, it is recommended to use it
+ along with NOTRACK mode to minimise protocol overhead on the firewalls dedicated link.
+ Further informations on how to configure TIPC can be found in the README file under
+ the doc/notrack/ directory
</para>
</sect3>
diff --git a/doc/sync/notrack/README b/doc/sync/notrack/README
index b064e21..e7afcc7 100644
--- a/doc/sync/notrack/README
+++ b/doc/sync/notrack/README
@@ -1,3 +1,13 @@
-This directory contains the files for the NOTRACK replication protocol. This
-protocol provides best effort delivery. Therefore, it is unreliable unless
-that you select TCP-based state-synchronization.
+Installation instructions :
+
+TIPC is a built-in kernel module since kernel version 2.6.35 ; please make sure your using a => 2.6.35 kernel with TIPC 2.0, as this patch has not been tested with older versions of the protocol yet.
+
+For easy and fast configuration, you must install the TIPC utilies v2.0.0, available from sources here :
+
+ git://tipc.git.sourceforge.net/gitroot/tipc/tipcutils (branch tipcutils2.0)
+
+or by using aptitude on debian distributions :
+
+ sudo apt-get install tipcutils
+
+For further details on installation, node and network configuration, please refer to the online documentation : http://tipc.sourceforge.net/doc/tipc_2.0_users_guide.html#installation.
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 34e7b32..71946ec 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -4,6 +4,17 @@
Sync {
Mode NOTRACK {
#
+ # Size of the resend queue (in objects). This is the maximum
+ # number of objects that can be stored waiting to be confirmed
+ # via acknoledgment. If you keep this value low, the daemon
+ # will have less chances to recover state-changes under message
+ # omission. On the other hand, if you keep this value high,
+ # the daemon will consume more memory to store dead objects.
+ # Default is 131072 objects.
+ #
+ # ResendQueueSize 131072
+
+ #
# This parameter allows you to set an initial fixed timeout
# for the committed entries when this node goes from backup
# to primary. This mechanism provides a way to purge entries
@@ -26,14 +37,19 @@ Sync {
#
# PurgeTimeout 60
+ # Set the acknowledgement window size. If you decrease this
+ # value, the number of acknowlegdments increases. More
+ # acknowledgments means more overhead as conntrackd has to
+ # handle more control messages. On the other hand, if you
+ # increase this value, the resend queue gets more populated.
+ # This results in more overhead in the queue releasing.
+ # The following value is based on some practical experiments
+ # measuring the cycles spent by the acknowledgment handling
+ # with oprofile. If not set, default window size is 300.
#
- # This clause allows you to disable the internal cache. Thus,
- # the synchronization messages are directly send through
- # the dedicated link. This option is set of off by default.
- #
- # DisableInternalCache Off
+ # ACKWindowSize 300
- #
+ #
# This clause allows you to disable the external cache. Thus,
# the state entries are directly injected into the kernel
# conntrack table. As a result, you save memory in user-space
@@ -57,33 +73,33 @@ Sync {
# iptables -I INPUT -d 225.0.0.50 -j ACCEPT
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
#
- Multicast {
+ # Multicast {
#
# Multicast address: The address that you use as destination
# in the synchronization messages. You do not have to add
# this IP to any of your existing interfaces. If any doubt,
# do not modify this value.
#
- IPv4_address 225.0.0.50
+ # IPv4_address 225.0.0.50
#
# The multicast group that identifies the cluster. If any
# doubt, do not modify this value.
#
- Group 3780
+ # Group 3780
#
# IP address of the interface that you are going to use to
# send the synchronization messages. Remember that you must
# use a dedicated link for the synchronization messages.
#
- IPv4_interface 192.168.100.100
+ # IPv4_interface 192.168.100.100
#
# The name of the interface that you are going to use to
# send the synchronization messages.
#
- Interface eth2
+ # Interface eth2
# The multicast sender uses a buffer to enqueue the packets
# that are going to be transmitted. The default size of this
@@ -94,10 +110,8 @@ Sync {
# notice some packet loss, you may want to increase the size
# of the sender buffer. The default size is usually around
# ~100 KBytes which is fairly small for busy firewalls.
- # Note: This protocol is best effort, it is really recommended
- # to increase the buffer size.
#
- SndSocketBuffer 1249280
+ # SndSocketBuffer 1249280
# The multicast receiver uses a buffer to enqueue the packets
# that the socket is pending to handle. The default size of this
@@ -106,20 +120,18 @@ Sync {
# receiver queue. The overrun results packet loss, thus, losing
# state information that would have to be retransmitted. If you
# notice some packet loss, you may want to increase the size of
- # of the sender buffer. The default size is usually around
+ # the receiver buffer. The default size is usually around
# ~100 KBytes which is fairly small for busy firewalls.
- # Note: This protocol is best effort, it is really recommended
- # to increase the buffer size.
#
- RcvSocketBuffer 1249280
+ # RcvSocketBuffer 1249280
- #
+ #
# Enable/Disable message checksumming. This is a good
# property to achieve fault-tolerance. In case of doubt, do
# not modify this value.
#
- Checksum on
- }
+ # Checksum on
+ # }
#
# You can specify more than one dedicated link. Thus, if one dedicated
# link fails, conntrackd can fail-over to another. Note that adding
@@ -192,60 +204,37 @@ Sync {
# Checksum on
# }
- #
- # You can also use Unicast TCP to propagate events. Thus, the NOTRACK
- # mode becomes reliable.
- #
- # TCP {
- #
- # TCP address that this firewall uses to listen to events.
- #
- # IPv4_address 192.168.2.100
- #
- # or you may want to use an IPv6 address:
- #
- # IPv6_address fe80::215:58ff:fe28:5a27
-
- #
- # Destination TCP address that receives events, ie. the other
- # firewall's dedicated link address.
+ TIPC {
#
- # IPv4_Destination_Address 192.168.2.101
+ # Name of the other TIPC port in the cluster (in the form type:instance)
#
- # or you may want to use an IPv6 address:
+ TIPC_Destination_Name 1000:51
+
#
- # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
-
+ # Name of the local TIPC port (used to listen to events)
#
- # TCP port used
- #
- # Port 3780
+ TIPC_Name 1000:50
#
- # The name of the interface that you are going to use to
- # send the synchronization messages.
- #
- # Interface eth2
-
- #
- # The sender socket buffer size
+ # The name of the TIPC configured interface that you are going to use
+ # to send synchronization messages.
#
- # SndSocketBuffer 1249280
-
+ Interface eth0
+
#
- # The receiver socket buffer size
+ # The importance of the TIPC messages sent (the more important this is, the more packets will be enabled to queue up on the slave)
+ # This should be set to High or Critical to avoid congestion on the receiver side.
+ # (possible values : TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE, TIPC_HIGH_IMPORTANCE, TIPC_CRITICAL_IMPROTANCE)
#
- # RcvSocketBuffer 1249280
+ TIPC_Message_Importance TIPC_CRITICAL_IMPORTANCE
- #
- # Enable/Disable message checksumming.
#
- # Checksum on
- # }
+ # Current TIPC implementation doesnt allow checksumming
+ }
- #
+ #
# Other unsorted options that are related to the synchronization.
- #
+ #
# Options {
#
# TCP state-entries have window tracking disabled by default,
@@ -259,9 +248,9 @@ Sync {
# you want to enable. Default is off.
#
# ExpectationSync {
- # ftp
- # h323
- # sip
+ # ftp
+ # h323
+ # sip
# }
#
# You can use this alternatively:
@@ -368,6 +357,7 @@ General {
#
# NetlinkOverrunResync On
+ #
# If you want reliable event reporting over Netlink, set on this
# option. If you set on this clause, it is a good idea to set off
# NetlinkOverrunResync. This option is off by default and you need
View Lorry Controller Status