Hi, My graduation project was "Redundant OpenBSD pf". I was working on the kernel side and in the userland but I was really reluctant to develop.
On Friday (was Saturday morning in Turkey?) I saw Daniel's msg. about pfsync. It really shocked me. Somebody (mickey) nearly did my project before me ? I realised that it was time to study hard. In a day, I hacked up some code and created 'pfsyncd'. A userland program to exchange state changes read from pfsync0 with a multicast network. This will let us create multi participant redundant firewalls. The code is in very very alpha stage. Many things need to be added. But anyway it gives an idea... o Basically it reads from pfsync0, and sends them to a multicast group. o Same code works on all nodes. o It forks once to create a "listening" copy and the first one works as "sending" copy. o Listening copy gets the requests and adds state to local machine via ioctls Although tried hard, I had to make a patch in the kernel level. Very trivial one. Mickey just put "pfsync_insert_state" into "pf_insert_state". This causes a loop when we try to add incoming state announce with ioctl. I used the "pad" area in the 'struct pf_state' structure and embedded a magic number into each state coming via multicast network. This trivial patch makes the kernel control this magic number and decide to run "pfsync_insert_state" or not. The very first version is in the URL below. http://www.mindcast.org/bdd/pfsyncd/pfsyncd-pack.tar.gz Please do not hesitate to comment, send your patches, etc. I obviously need help. Regards, Berk Demir
