If an fa recovers from its failure servers affected

Info icon This preview shows pages 6–8. Sign up to view the full content.

View Full Document Right Arrow Icon
server FA, it attempts a direct connection to the server. If an FA recovers from its failure, servers affected by the failure should upgrade their sockets to support 2 The server FA is also the client FA in this case because the client and the server are in the same network.
Image of page 6

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
CODO mechanisms 3 . To achieve this goal, we design FAs to maintain soft state so that they can recover by receiving socket information from server CLs. Therefore, the CL periodically tries to contact the failed FA. If successful, it upgrades sockets by doing whatever it would have done if the FA had not failed, and the FA recovers its state during this upgrade process. If a firewall fails before step (6) in the connection process, unnecessary rule may still exist in the firewall when it recovers. The firewall must delete these unnecessary rules to maintain a high level of security. If a firewall supports timeouts on rules, then garbage collection would be able to clean up the unnecessary rules. Unfortunately, the firewalls we targeted do not support timeouts. Instead of garbage collection, each FA records a snapshot of rules it created in a persistent file. During startup, it deletes all the rules recorded in that file. This blind flush will certainly delete necessary rules as well. However, the necessary rules are recreated as a part of the (soft) state recovery explained above. 6. Implementation The CL is implemented as a C/C++ library and as a layer between the application and the kernel, as depicted in Figure 4. Applications use CODO socket calls to create a CODO socket, bind it to an address, connect to a server, accept a connection from a client, and so forth. The CL provides some file system calls so that applications may duplicate socket descriptors, make a socket non-blocking, and multiplex multiple file descriptors, including CODO sockets. The CL also has a few functions for process control, such as CODO_fork and CODO_execve . These are mainly for inheriting open sockets to child processes. All CODO calls have the same APIs as their regular counterparts. 3 The upgrade process should not change the official address of a socket. Therefore, sockets with private (IP, port) may not be upgraded. A private official address is assigned to a socket behind a NAT box when its FA is down at binding time. Figure 4: CL implementation The FA is implemented as a daemon running on the firewall machine. It uses the Linux Netfilter [9] API to add, delete, and list rules. Although CODO currently supports only firewalls based on Netfilter, it interacts with firewalls through an abstraction layer that defines necessary firewall functions to dynamically control it. Therefore, any firewall with those functions can be easily supported. In §3 and §4.2, we claimed that the FA deletes firewall rules it added when they become unnecessary after the stateful firewall creates enough state information to allow subsequent packets to traverse.
Image of page 7
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern