This match requires that all the nodes see the same packets. Thus, the cluster
match decides if this node has to handle a packet given the following options:
.TP
-\fB\-\-cluster\-total\-nodes \fInum\fP
+\fB\-\-cluster\-total\-nodes\fP \fInum\fP
Set number of total nodes in cluster.
.TP
-[\fB!\fP] \fB\-\-cluster\-local\-node \fInum\fP
+[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
Set the local node number ID.
.TP
-[\fB!\fP] \fB\-\-cluster\-local\-nodemask \fImask\fP
+[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
Set the local node number ID mask. You can use this option instead
-of \fB\-\-cluster\-local\-node.
+of \fB\-\-cluster\-local\-node\fP.
.TP
-\fB\-\-cluster\-hash\-seed \fIvalue\fP
+\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
Set seed value of the Jenkins hash.
.PP
Example:
.IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster \
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \
-\-\-cluster\-hash\-seed 0xdeadbeef \
+iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
\-j MARK \-\-set-mark 0xffff
.IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \
-\-\-cluster\-hash\-seed 0xdeadbeef \
+iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
\-j MARK -\-set\-mark 0xffff
.IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \
+iptables \-A PREROUTING \-t mangle \-i eth1
\-m mark ! \-\-mark 0xffff \-j DROP
.IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \
+iptables \-A PREROUTING \-t mangle \-i eth2
\-m mark ! \-\-mark 0xffff \-j DROP
.PP
And the following commands to make all nodes see the same packets:
.IP
ip maddr add 01:00:5e:00:01:02 dev eth2
.IP
-arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 \
+arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
.IP
-arptables \-A INPUT \-i eth1 \-\-h-length 6 \
-\-\-destination-mac 01:00:5e:00:01:01 \
+arptables \-A INPUT \-i eth1 \-\-h-length 6
+\-\-destination-mac 01:00:5e:00:01:01
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
.IP
-arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 \
+arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
.IP
-arptables \-A INPUT \-i eth2 \-\-h\-length 6 \
-\-\-destination\-mac 01:00:5e:00:01:02 \
+arptables \-A INPUT \-i eth2 \-\-h\-length 6
+\-\-destination\-mac 01:00:5e:00:01:02
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
.PP
In the case of TCP connections, pickup facility has to be disabled
that address will be removed from the list and the rule will return true. If
the address is not found, false is returned.
.TP
-[\fB!\fR] \fB\-\-seconds \fIseconds\fP
+[\fB!\fR] \fB\-\-seconds\fP \fIseconds\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
-[\fB!\fR] \fB\-\-hitcount \fIhits\fP
+[\fB!\fR] \fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and packets had been received greater than or equal to
projects / thirdparty / iptables.git / commitdiff
