How to replicate the fire: HA for netfilter based firewalls

With traditional, stateless firewalling (such as ipfwadm, ipchains) there is no need for special HA support in the firewalling subsystem. As long as all packet filtering rules and routing table entries are configured in exactly the same way, one can use any available tool for IP-Address takeover to accomplish the goal of failing over from one node to the other.

With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond traditional packet filtering. Netfilter provides a modular connection tracking susbsystem which can be employed for stateful firewalling. The connection tracking subsystem gathers information about the state of all current network flows (connections). Packet filtering decisions and NAT information is associated with this state information.

In a high availability scenario, this connection tracking state needs to be replicated from the currently active firewall node to all standby slave firewall nodes. Only when all connection tracking state is replicated, the slave node will have all necessarry state information at the time a failover event occurs.

The netfilter/iptables does currently not have any functionality for replicating connection tracking state accross multiple nodes. However, the author of this presentation, Harald Welte, has started a project for connection tracking state replication with netfilter/iptables.

The presentation will cover the architectural design and implementation of the connection tracking failover sytem. With respect to the date of the conference, it is to be expected that the project is still a work-in-progress at that time.

...

Download PDF.