Dear Shorewallers,
we are trying to setup an active/active firewall with Shorewall.
Our current idea is to use xt_cluster for that, i.e. configure both FWs
with the same "outside" IP and MAC, and the same "inside" IP and MAC, convince the switch
to not care (i.e. act like a "hub"),
and then use rules such as:
iptables -I PREROUTING -t mangle -i external_interface -m cluster
--cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef
-j MARK --set-mark 0xffff
iptables -A PREROUTING -t mangle -i external_interface -m mark ! --mark 0xffff
-j DROP
Ideally, it would be possible to scale this to more than two nodes.
Basic tests show that this works as expected, but the details get messy.
We have hit several roadblocks in our mind, and wonder whether Shorewall can
solve some of them,
or anybody is already using Shorewall in an active/active mode on this list:
1. Certainly, conntrackd is needed to synchronize connection states.
But is it always "fast enough"?
xt_cluster seems to match by the src_ip of the original direction of the
flow[0] (if I read the code correctly),
but what happens if the reply arrives at both firewalls before state is
synchronized?
Is there another way which e.g. may use XOR(src,dst) which might work around this
requirement, or always uses the "internal" source IP?
2. How to express rules such as the above in Shorewall, and how to do failover
in such cases?
We can probably use INLINE() and IPTABLES() to put these into the shorewall config
"raw", but is there something cleaner?
For failover we'd need to change these rules (if one node fails, the
total-nodes will change).
As an alternative, I found [1] which states multiple rules can be used and
enabled / disabled,
but does somebody know of a cleaner way?
3. We have several internal networks, which need to talk to each other
(partially with firewall rules and NATting),
so we'd also need similar rules there, complicating things more.
4. Another point is how to actually perform the failover. Classical cluster
suites (corosync + pacemaker)
are rather used to migrate services, but not to communicate node ids and
number of total active nodes.
TIPC may be something to use here, but I found nothing "ready to use".
You may also tell me there's a better way to do this than use xt_cluster — we've up to
now only done "classic" active/passive setups,
but maybe someone on this list has already done active/active without
commercial hardware, and can share experience from this?
Cheers and thanks in advance,
Oliver
[0]
https://github.com/torvalds/linux/blob/10a3efd0fee5e881b1866cf45950808575cb0f24/net/netfilter/xt_cluster.c#L16-L19
[1] https://lore.kernel.org/netfilter-devel/499bebbf.7080...@netfilter.org/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
