Visit Jeremy's Blog.
Go Back > Forums > Non-*NIX Forums > Programming
User Name
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.


  Search this Thread
Old 12-15-2009, 11:42 PM   #1
LQ Newbie
Registered: Dec 2009
Posts: 1

Rep: Reputation: 0
stateful packet inspection firewall using netfilter hooks with load balancing


I want to design and implement a stateful packet inspection firewall, where my routines are registered and called. The routines defined by me will maintain session information and apply NAT and/or ACL defined by user.

Everybody ask me, why I need to have separate routines called when Netfilter rules can do the same task. Can you please let me know, how I can make my routines more advanced than the existing implementation of Netfilter rules.

I want to merge server loadbalancing decision (based on algorithms like RR, Least connection, healthchecks etc) with the kernel firewall implementation in next phase. Do you foresee any problem with this?

Please answer my 2 questions.

Thanks and Regards

Old 12-16-2009, 03:03 AM   #2
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 274

Rep: Reputation: 38
Sincerely i see many problem on the implementations of your idea especially whereas we speak of a critical area of the system where even in cases you being able to make something functional, because you should even consider system optimization that in this area are essential (the software operates - practically - in real time).

I think a good start could be:
understand the source code of netfilter;
read many book about the various system available for doing what you want (generally a lot complicated) and often there are only concept, idea, without real implementation available;
very good knowledge of c language;
ask for help in places frequented by kernel developers (for example mailing list after having made some piece of code) because is improbable you could obtain help in a forum about questions so difficult;
a lot of time.

After all that, if you are sufficient able to realize something, you should see if the performance (essential in this application) are sufficiently good or not.

Good luck.

I understand your enthusiasm and I appreciate indipendently how "practical" it is your idea.
Old 12-16-2009, 06:58 PM   #3
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,406

Rep: Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396
You could start here: They write the iptables src code and have it all there.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Info about switches that do per-packet load balancing!! vishamr2000 Linux - Networking 8 06-21-2007 03:01 AM
Netfilter hooks mousars Programming 2 03-16-2006 12:22 PM
Is iptables/netfilter stateful inspection firewall ? newbieA Linux - Security 3 02-11-2005 08:32 PM
Stateful Packet Inspection Firewall (How could I tell)?? wardialer Linux - Security 9 02-10-2005 09:11 PM
stateful packet inspection estranged0877 Linux - Security 1 01-28-2003 06:05 PM > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 01:21 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration