summaryrefslogtreecommitdiff
path: root/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex
diff options
context:
space:
mode:
Diffstat (limited to '2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex')
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex10
1 files changed, 10 insertions, 0 deletions
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex
new file mode 100644
index 0000000..e7ddcfc
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex
@@ -0,0 +1,10 @@
+%
+
+With traditional, stateless firewalling (such as ipfwadm, ipchains) there is no need for special HA support in the firewalling subsystem. As long as all packet filtering rules and routing table entries are configured in exactly the same way, one can use any available tool for IP-Address takeover to accomplish the goal of failing over from one node to the other.
+
+With Linux 2.4/2.6 netfilter/iptables, the Linux firewalling code moves beyond traditional packet filtering. Netfilter provides a modular connection tracking susbsystem which can be employed for stateful firewalling. The connection tracking subsystem gathers information about the state of all current network flows (connections). Packet filtering decisions and NAT information is associated with this state information.
+
+In a high availability scenario, this connection tracking state needs to be replicated from the currently active firewall node to all standby slave firewall nodes. Only when all connection tracking state is replicated, the slave node will have all necessarry state information at the time a failover event occurs.
+
+Due to funding by Astaro AG, the netfilter/iptables project now offers a ct\_sync kernel module for replicating connection tracking state accross multiple nodes. The presentation will cover the architectural design and implementation of the connection tracking failover sytem.
+
personal git repositories of Harald Welte. Your mileage may vary