netfilter firewall w/ failover, Poor man's conntrack failover

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Nils Juergens <ju@isf.rwth-aachen.de>
To: netfilter@lists.samba.org
Subject: netfilter firewall w/ failover, Poor man's conntrack failover
Date: Fri, 29 Aug 2003 15:33:57 +0200	[thread overview]
Message-ID: <20030829133357.GA8109@koala7> (raw)

[-- Attachment #1: Type: text/plain, Size: 2175 bytes --]

Harald and others,

i've seen Haralds presentation on netfilter failover at this years
FOSDEM[1].

I know that connection tracking information replication is not yet
implemented, so i am looking into using the "poor man's" approach with
shared ethernet.

I've played around with the kernel a bit so far but have had little success.

It would be nice if someone could provide some insight into how to hack the
kernel so it does connection tracking based on packets from an interface in
promiscuous mode without actually forwarding those.

Right now i have to identical machines set up with identical routes,
interfaces and corresponding ips. Both machines have ip forwarding turned
on, but the box that is on hot standby has arp replies turned off
(ifconfig <iface> -arp).

With a standard kernel, packets for other hosts are dropped in
net/ipv4/ip_input.c:

/*
 *      Main IP Receive routine.
  */
  int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt)
{
        struct iphdr *iph;

	        /* When the interface is in promisc. mode, drop all the crap
	         * that it receives, do not try to analyse it.
 		 */
		 if (skb->pkt_type == PACKET_OTHERHOST)
		     goto drop;

The second place where these packages could be dropped is
net/ipv4/ip_forward.c:

int ip_forward(struct sk_buff *skb)
{

[...]

        if (skb->pkt_type != PACKET_HOST)
	                goto drop;

Right now i have tried two things:

1. just commenting out the "goto drop" so that the packet are handled like
any other (ip_route_local(), ip_forward() etc).

2. instead of dropping the packet, calling 
NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL,
                       ip_local_deliver_finish);
or
NF_HOOK(PF_INET, NF_IP_FORWARD, skb, skb->dev, dev2,
                       ip_forward_finish);

respectively.

If someone could point me in the right direction i would be very grateful.

thanks,

Nils Juergens

[1] http://www.fosdem.org

-- 
Nils Juergens  | ju@isf.rwth-aachen.de
Having problems sending big files over the net?
Try out Efisto (http://efisto.rnbhq.org).

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

                 reply	other threads:[~2003-08-29 13:33 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030829133357.GA8109@koala7 \
    --to=ju@isf.rwth-aachen.de \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox