1 files changed, 31 insertions, 0 deletions

diff --git a/2002/netfilter-failover-ols2002/abstract b/2002/netfilter-failover-ols2002/abstract
new file mode 100644
index 0000000..9cd4ef3
--- /dev/null
+++ b/2002/netfilter-failover-ols2002/abstract
@@ -0,0 +1,31 @@
+How to replicate the fire - HA for netfilter based firewalls.
+
+  With traditional, stateless firewalling (such as ipfwadm, ipchains) there is
+no need for special HA support in the firewalling subsystem.  As long as all
+packet filtering rules and routing table entries are configured in exactly the
+same way, one can use any available tool for IP-Address takeover to accomplish
+the goal of failing over from one node to the other.  
+
+  With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond
+traditional packet filtering.  Netfilter provides a modular connection tracking
+susbsystem which can be employed for stateful firewalling.  The connection
+tracking subsystem gathers information about the state of all current network
+flows (connections).  Packet filtering decisions and NAT information is
+associated with this state information.
+
+  In a high availability scenario, this connection tracking state needs to be
+replicated from the currently active firewall node to all standby slave
+firewall nodes.  Only when all connection tracking state is replicated, the
+slave node will have all necessarry state information at the time a failover
+event occurs.
+
+  The netfilter/iptables does currently not have any functionality for
+replicating connection tracking state accross multiple nodes.  However,
+the author of this presentation, Harald Welte, has started a project for
+connection tracking state replication with netfilter/iptables.  
+
+  The presentation will cover the architectural design and implementation
+of the connection tracking failover sytem.  With respect to the date of 
+the conference, it is to be expected that the project is still a 
+work-in-progress at that time.
+