Josh Tolley wrote:
> I .. would love to know of a way to get iptables state to
> transfer from one machine to another.
You and lots of other people :-)
Harald Welte has been trying to get funding to write stateful failover
for netfilter for a while now, but last I heard (a year ago at OLS), he
hasn't got funding and hasn't done it. Even conceptually it's not easy to
do and there's lot of thinking about whether the current netfilter setup
is worth putting the effort into failing over. One problem is one loading
rules that each new rule has to find it's please in the existing rule set.
Thus loading large rule sets is an n^^2 problem and it can take seconds for
50,000 rules to load. A netfilter rule compiler would be nice.
Joe
--
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx
|