Packets from "self" dont pass through netfilter

Packets from "self" dont pass through netfilter

[Thanos Panousis]

Hello,

I have bothered this list before with a little project I am working
on, so here goes again.

I have 3 hosts: a client, a primary and a backup server, all on a HUB,
so everybody hears everybody else's traffic. The primary and the
backup have the same IPs AND the same MACs. The backup has

ifconfig eth0 -arp
ifconfig eth0 promisc

, meaning I have disabled arp broadcasting and I ve put its interface
in promisc mode. I am using iptables in the backup to redirect all
traffic going in or out of its NIC to a QUEUE target, and these
packets get processed by a script of my that is suppossed to do
smthing.

So, say I do a telnet from client to primary(and the backup, since
they got the same IP). The primary will do the TCP handshake OK, and
the backup will get fucked up, sending RST tcp packets. What SHOULD
traverce the firewall (and hence the QUEUE target) on the backup is:

-the clients SYN packet going in
-the primary SYN/ACK packet going in
-the backup SYN/ACK going out
-the client ACK going in

then the backup server would see the wrong ACK that came in and get
fucked up(send an RST?).

But the packets that come from the primary server(which has the same
IP/MAC) NEVER go in the backups QUEUE. Why is that?? I dont grab them
at the QUEUE target, but I can see them crossing if I use ethereal!

Re: Packets from "self" dont pass through netfilter

[Markus Marquardt]

Thanos Panousis wrote:

> But the packets that come from the primary server(which has the same
> IP/MAC) NEVER go in the backups QUEUE. Why is that?? I dont grab them
> at the QUEUE target, but I can see them crossing if I use ethereal!

IMHO the backup server thinks the packets came from itself (same MAC). 
So why should it queue them into the ip stack?

Regards,
Markus

Re: Packets from "self" dont pass through netfilter

[Thanos Panousis]

Yes I understand that, but still I need some advice on how to make
that happen, cause its really vital for what I m trying to do.

How can I make the QUEUE target of netfilter receive packets as if it
was in "promiscuous" mode? to put it in another way, I would like the
QUEUE target to receive whatever shows up on ethereal (which is all
traffic on the hub).

Having both the the primary and the backup share the same IP/MAC, the
packets from the primary dont go up netfilter in the backup. How can I
make this happen, or at least "fake" something in the backup so that I
make it happen....


Thanks for your reply.


On 1/12/06, Markus Marquardt <adrock0501@arcor.de> wrote:
> Thanos Panousis wrote:
>
> > But the packets that come from the primary server(which has the same
> > IP/MAC) NEVER go in the backups QUEUE. Why is that?? I dont grab them
> > at the QUEUE target, but I can see them crossing if I use ethereal!
>
> IMHO the backup server thinks the packets came from itself (same MAC).
> So why should it queue them into the ip stack?
>
> Regards,
> Markus
>
>
>