From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2002/netfilter-failover-ols2002/abstract | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 2002/netfilter-failover-ols2002/abstract (limited to '2002/netfilter-failover-ols2002/abstract') diff --git a/2002/netfilter-failover-ols2002/abstract b/2002/netfilter-failover-ols2002/abstract new file mode 100644 index 0000000..9cd4ef3 --- /dev/null +++ b/2002/netfilter-failover-ols2002/abstract @@ -0,0 +1,31 @@ +How to replicate the fire - HA for netfilter based firewalls. + + With traditional, stateless firewalling (such as ipfwadm, ipchains) there is +no need for special HA support in the firewalling subsystem. As long as all +packet filtering rules and routing table entries are configured in exactly the +same way, one can use any available tool for IP-Address takeover to accomplish +the goal of failing over from one node to the other. + + With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond +traditional packet filtering. Netfilter provides a modular connection tracking +susbsystem which can be employed for stateful firewalling. The connection +tracking subsystem gathers information about the state of all current network +flows (connections). Packet filtering decisions and NAT information is +associated with this state information. + + In a high availability scenario, this connection tracking state needs to be +replicated from the currently active firewall node to all standby slave +firewall nodes. Only when all connection tracking state is replicated, the +slave node will have all necessarry state information at the time a failover +event occurs. + + The netfilter/iptables does currently not have any functionality for +replicating connection tracking state accross multiple nodes. However, +the author of this presentation, Harald Welte, has started a project for +connection tracking state replication with netfilter/iptables. + + The presentation will cover the architectural design and implementation +of the connection tracking failover sytem. With respect to the date of +the conference, it is to be expected that the project is still a +work-in-progress at that time. + -- cgit v1.2.3