LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 03-18-2009, 04:24 PM   #1
Kunsheng
Member
 
Registered: Mar 2009
Posts: 82

Rep: Reputation: 16
Smile Looking for idea on firewall project based on netfilter hook


Hi everyone,

I am thinking of a firewall project that would test the mechanism of netfiter.

Basically I am going to develop a kernel module which situated in a client machine.

The client want to access a FTP server( I am thinking of setting the server in ubuntu). The IP Address of the server is provided (The public ip address).

On the server side, actually there are two machines behind it with different IP Address, both of which has the same file needed by the client. Only the kernel module knows the internal ip address of each machine on server side.

Here is what the module going to do:

Receive the request from cilent, then decides which machine to be used in the server side by their loads(number of client connections, a smaller loads one would win). The module is to improve performance when there are many client connections there.


I have some idea on it:

1. Create netfilter hook for IP_PRE_ROUTE and IP_POST_ROUTE;

2. Create a kernel thread to handle requests coming from both client and server side. The thread is doing NAT.


I am not sure whether I am in the right direction or not.


Any idea is well appreciated,

+Kunsheng
 
Old 03-18-2009, 05:13 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,575

Rep: Reputation: 181Reputation: 181
It may be done at the kernel module level, but you'd need to get the statistics of the server somehow and process them. That should be rather done as a daemon (easier to debug, less problems if it crashes etc). If you want to use iptables here, I'd put most of the functionality in a deamon and only direct the kernel module using two commands: 'from now redirect all new connections to 1', 'from now redirect all new connections to 2'.
 
Old 03-18-2009, 05:59 PM   #3
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,397
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
This sounds like a very interesting project from an academic point of view. In practice, you will have a hard time evaluating its effect, since most modern PCs can easily saturate a (ethernet) network before they start to break a sweat.
--- rod.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to send copied skb in netfilter hook? simon_qwl Programming 5 04-18-2012 06:24 AM
netfilter hook problem mihirsevak Linux - Networking 2 10-21-2007 02:17 AM
a firewall based on netfilter skicy Programming 1 04-16-2007 07:02 AM
netfilter hook forward packets tim24 Linux - Networking 3 03-27-2006 04:14 PM
netfilter hook function error jinxcat Programming 1 09-23-2005 05:24 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 05:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration