netfilter firewall w/ failover, Poor man's conntrack failover

Linux Netfilter discussions
 help / color / mirror / Atom feed

* netfilter firewall w/ failover, Poor man's conntrack failover
@ 2003-08-29 13:33 Nils Juergens
  0 siblings, 0 replies; only message in thread
From: Nils Juergens @ 2003-08-29 13:33 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 2175 bytes --]

Harald and others,

i've seen Haralds presentation on netfilter failover at this years
FOSDEM[1].

I know that connection tracking information replication is not yet
implemented, so i am looking into using the "poor man's" approach with
shared ethernet.

I've played around with the kernel a bit so far but have had little success.

It would be nice if someone could provide some insight into how to hack the
kernel so it does connection tracking based on packets from an interface in
promiscuous mode without actually forwarding those.

Right now i have to identical machines set up with identical routes,
interfaces and corresponding ips. Both machines have ip forwarding turned
on, but the box that is on hot standby has arp replies turned off
(ifconfig <iface> -arp).

With a standard kernel, packets for other hosts are dropped in
net/ipv4/ip_input.c:

/*
 *      Main IP Receive routine.
  */
  int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt)
{
        struct iphdr *iph;

	        /* When the interface is in promisc. mode, drop all the crap
	         * that it receives, do not try to analyse it.
 		 */
		 if (skb->pkt_type == PACKET_OTHERHOST)
		     goto drop;

The second place where these packages could be dropped is
net/ipv4/ip_forward.c:

int ip_forward(struct sk_buff *skb)
{

[...]

        if (skb->pkt_type != PACKET_HOST)
	                goto drop;

Right now i have tried two things:

1. just commenting out the "goto drop" so that the packet are handled like
any other (ip_route_local(), ip_forward() etc).

2. instead of dropping the packet, calling 
NF_HOOK(PF_INET, NF_IP_LOCAL_IN, skb, skb->dev, NULL,
                       ip_local_deliver_finish);
or
NF_HOOK(PF_INET, NF_IP_FORWARD, skb, skb->dev, dev2,
                       ip_forward_finish);

respectively.

If someone could point me in the right direction i would be very grateful.

thanks,

Nils Juergens

[1] http://www.fosdem.org

-- 
Nils Juergens  | ju@isf.rwth-aachen.de
Having problems sending big files over the net?
Try out Efisto (http://efisto.rnbhq.org).

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2003-08-29 13:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-29 13:33 netfilter firewall w/ failover, Poor man's conntrack failover Nils Juergens

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox