[RFC,ANNOUNCE] conntrack daemon (stateful replication)
jhpark-nf at kernelproject.org
Mon May 29 06:46:07 CEST 2006
good job !
it looks so interesting ~ thanks
Pablo Neira Ayuso wrote:
> I've been working on a pet project during the last months. Part of
> this stuff is related with my works in the university.
> The project is called `conntrackd' that is the conntrack userspace
> - Stateful replication: the daemon keeps a cache of internal events
> via libnetfilter_conntrack and a cache of external event received from
> the other node.
> - Support for classical Primary/Backup settings
> - Support for Active/Active settings (two machines max. per VRRP
> - Support for NAT: It recognizes NAT'ed connections and handles them
> - UDP traffic ignore facility
> - ICMP traffic ignore facility
> - Ignore loopback traffic (not customizable at the moment)
> - Ignore traffic for certain set of machines: Useful to ignore traffic
> for the firewall since we just want to replicate conntracks that
> represent forwarded connections.
> - Dump internal and external caches via UNIX sockets
> - Flush internal, external caches and conntrack table
> - The communication between daemons is done in NETLINK format, so the
> protocol used is based on NETLINK over IP, to ensure backward
> - Configuration via file
> - Log file support
> I'm still generalizing this a bit so it can be also used for
> statistics purposes: since a replica of the conntrack table (cache) is
> kept in userspace, the dumping process would not need to request the
> information to the kernel.
> The software is released under GPLv2 and it is available at:
> The remaining issues are:
> - Support for IPv6.
> - Evaluation: I'll be getting some results to evaluate the
> *performance drop* that could suppose to enable replication in linux
> firewall based on this solution. Expect results soon.
> - Better integration with keepalived: This is the most important issue
> and my major concern now. I'm happy with keepalived, but the interface
> provided to communicate events (based on shell scripts) is not so much.
> - Checksum messages going through the network.
> - Security: A dedicated link is required to communicate nodes that
> conform the cluster, otherwise third parties could pick up information
> about the connections processed by the firewall.
> - More testing
> - linux kernel >= 2.6.16 with [ip|nf]_conntrack_netlink support
> - libnfnetlink from SVN
> - libnetfilter_conntrack from SVN + plus patch inside the doc/ directory.
> - keepalived (tested here with 1.1.11 available in debian)
> - make sure that multicast traffic sent by conntrackd is received in
> the dedicated interfaces:
> iptables -I INPUT -d 18.104.22.168 -j ACCEPT
> iptables -I OUTPUT -d 22.214.171.124 -j ACCEPT
> - install libnfnetlink and libnetfilter_conntrack from SVN (and apply
> the patch available in doc/)
> - classical ./configure; make; make install
> - copy doc/conntrackd.conf to /etc/conntrackd/, this directory can be
> overrided with the -C option.
> - copy doc/script_*.sh where keepalived can find them.
> # conntrackd -d
> # conntrackd -i # dump internal events cache
> # conntrackd -e # dump external cache
> # conntrackd -k # kill conntrackd
> # conntrackd -f # flush internal, external caches and conntrack table
> I am going to write some docs at the same time that I improve the daemon.
> BTW, I sent a PDF file to netfilter-core but exceeded maximum size a
> bit, could you accept it? I wrote a small article for USENIX's :LOGIN;
> about the connection tracking system that will be released in June. I
> can't release it for public before that date but I sent you a copy in
> private. Although all that it contains is well known by you ;) but at
> least have a look at the acknowledgement section.
> Hope that you like it.
Jeho-Park <jhpark-nf at kernelproject.org> or <linuxpark at infnis.com>
More information about the netfilter-devel