blob: 9cd4ef3b15c7e0f0d69b5c0bebd65923290498a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
How to replicate the fire - HA for netfilter based firewalls.
With traditional, stateless firewalling (such as ipfwadm, ipchains) there is
no need for special HA support in the firewalling subsystem. As long as all
packet filtering rules and routing table entries are configured in exactly the
same way, one can use any available tool for IP-Address takeover to accomplish
the goal of failing over from one node to the other.
With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond
traditional packet filtering. Netfilter provides a modular connection tracking
susbsystem which can be employed for stateful firewalling. The connection
tracking subsystem gathers information about the state of all current network
flows (connections). Packet filtering decisions and NAT information is
associated with this state information.
In a high availability scenario, this connection tracking state needs to be
replicated from the currently active firewall node to all standby slave
firewall nodes. Only when all connection tracking state is replicated, the
slave node will have all necessarry state information at the time a failover
event occurs.
The netfilter/iptables does currently not have any functionality for
replicating connection tracking state accross multiple nodes. However,
the author of this presentation, Harald Welte, has started a project for
connection tracking state replication with netfilter/iptables.
The presentation will cover the architectural design and implementation
of the connection tracking failover sytem. With respect to the date of
the conference, it is to be expected that the project is still a
work-in-progress at that time.
|