Hi all again, Another one of those suggestions. I hope it's not redundant as my previous suggestions, if so, ignore this :-).
Would it be possible to make netfilter read/write state changes via some netlink like sockets, just like the queue target does? Would this mean a huge amount of overhead? If this could be implemented, or if it already has..., wouldn't it be possible to write a userspace daemon that propagates states between hosts? Doing this, we would be able to maintain much better and redundant firewalls for large networks that would not have to rely on a single machine. We would also able to scale linux firewalls in a much better fashion. For example, creating an internal network between only the firewalls that would propagate state changes between eachother via (broadcasted?) UDP packets. I believe even I would be able to implement such a daemon in a couple of weeks/months, if there is the basic framework available in kernel (the word here is, believe ;-)). Anyways, as I said in the beginning, if this has already been implemented or is not feasible, ignore this. If not, would anyone be interested in making the basic framework within the kernel and possibly the userland daemon? I'm more than willing to put any time I have left over into the daemon, but I doubt I have enough knowledge of C to get into the kernel side of things. Hope this is of any use and that anyone is willing to implement this. Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED]
