Stateful port redirection?

Stateful port redirection?

[Faré]

Dear netfilter hackers,

I'm studying options for Hot Upgrade for servers that require high availability.

Is it possible using netfilter to
a- redirect TCP traffic from port 10000 (visible to the public) to
port 10010 (invisible to the public)
b- change the rule so that that traffic to port 10000 is now
redirected to port 10020 (also invisible to the public) *except* for
packets associated with existing connections, that will remain
redirected to port 10010.

I can imagine that others have needed this feature and that it already
exists. Or I can imagine that nobody bothered about the connections
that were lost. I can also imagine heavyweight ways to do everything
in user-space, with the old server passing the TCP socket fd to the
new server over a AF_UNIX socket.

So -- has it been done before? If not, how hard would it be to add a
packet filter that would do that -- and that could be updated
dynamically to switch again to another port, etc.?

--#f
"I object to doing things that computers can do."
        — Olin Shivers

Re: Stateful port redirection?

[Pascal Hambourg]

Hello,

Faré a écrit :
> 
> Is it possible using netfilter to
> a- redirect TCP traffic from port 10000 (visible to the public) to
> port 10010 (invisible to the public)

What do you mean by invisible ?

> b- change the rule so that that traffic to port 10000 is now
> redirected to port 10020 (also invisible to the public) *except* for
> packets associated with existing connections, that will remain
> redirected to port 10010.

Yes. This is the way stateful NAT works. Changes in NAT rules apply only
to new connections.