Better late than never... I found the ctnetlink patch approximately 12 hours after writing this, sorry about this.
I'm starting to feel like the little kid who shouts "wolf" just for the fun of seeing the whole village running to help him and then the third time cries out "wolf" when a real wolf shows up and noone in the village cares about him because he's just joking all the time... Hope this didn't cause too much inconvenience to anyone, Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED] ----- Original Message ----- From: "Oskar Andreasson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 1:43 PM Subject: [suggestion] propagating states Hi all again, Another one of those suggestions. I hope it's not redundant as my previous suggestions, if so, ignore this :-). Would it be possible to make netfilter read/write state changes via some netlink like sockets, just like the queue target does? Would this mean a huge amount of overhead? If this could be implemented, or if it already has..., wouldn't it be possible to write a userspace daemon that propagates states between hosts? Doing this, we would be able to maintain much better and redundant firewalls for large networks that would not have to rely on a single machine. We would also able to scale linux firewalls in a much better fashion. For example, creating an internal network between only the firewalls that would propagate state changes between eachother via (broadcasted?) UDP packets. I believe even I would be able to implement such a daemon in a couple of weeks/months, if there is the basic framework available in kernel (the word here is, believe ;-)). Anyways, as I said in the beginning, if this has already been implemented or is not feasible, ignore this. If not, would anyone be interested in making the basic framework within the kernel and possibly the userland daemon? I'm more than willing to put any time I have left over into the daemon, but I doubt I have enough knowledge of C to get into the kernel side of things. Hope this is of any use and that anyone is willing to implement this. Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED]
