Hi, I would know if is possible to implement iptables failover using stateful inspection capabilities of iptables. This is simply a proof of concept. All information of stateful inspection is stored in /proc/net/ip_conntrack well, so if I write every firewall rules with --module STATE --state NEW,ESTABLIESHED ..... and so on every packet will be matched and a connection will be put in that file. if I send this file to another fw, send alias ip (for natted address & routing) and replace /proc/net/ip_conntrack ( if it is writeble. If not, is it possible to do ?) all session will be persistent, isn't it ? The problem of arp, proxyarp can be bypassed by rewriting mac address of the network adapter and using hub connected to the switch. Let me know if I'll hurt by a meteor ! bye. Gentili Filippo mail : fgentili@tomware.it http://www.tomware.it
