From: Eric Dumazet <eric.dumazet@gmail.com>
To: Jasper Spaans <spaans@fox-it.com>
Cc: netdev@vger.kernel.org
Subject: Re: bridging + load balancing bonding
Date: Thu, 22 Oct 2009 17:41:48 +0200 [thread overview]
Message-ID: <4AE07D3C.3040702@gmail.com> (raw)
In-Reply-To: <20091022122339.GA20148@spaans.fox.local>
Jasper Spaans a écrit :
> Hi,
>
> We're using the following setup for bonding and bridging, to be able to put
> large amounts of data through multiple IDS analyzers:
>
> +---[br0]----+ +--- eth1 ---(IDS machine 1)
> (Span port from switch) -- eth0 bond0--+
> +--- eth2 ---(IDS machine 2)
>
> eth0 receives network traffic, which should be passed to machines which are
> connected to eth1 and eth2. These machines run an IDS package, and there are
> two of those for performance reasons.
>
> bond0 is configured to load balance the packets using "balance-xor", in this
> case combined with xmit_hash_policy layer2.
>
> However, we're seeing problems: packets from one flow do not end up at the
> same IDS machine. This is because this selection is not based on the source
> _and_ destination mac addresses of the original packet, but on the mac
> address of the bonding device and the destination mac address of the
> package.
>
> This is also clear in the code:
> For example, in bond_main.c, in bond_xmit_hash_policy_l2:
> return (data->h_dest[5] ^ bond_dev->dev_addr[5]) % count;
>
> Changing this to
> return (data->h_dest[5] ^ data->h_source[5]) % count;
> fixes our problems, but is this harmful for packets originating locally (or
> being routed?)
>
> If not, can this be applied? Or does anyone have other ideas?
>
Hi Jasper
Very nice setup, and nice finding.
Dont locally generated (or outed) packets have h_source set to bond_dev->dev_addr anyway ?
So your solution might be the right fix...
About other ideas... I was thinking of TEE target (not in mainline unfortunatly) :
iptables -t mangle -A PREROUTING -i eth0 <some hash on mac addr> -j TEE --gateway 192.168.99.1 # IDS1
iptables -t mangle -A PREROUTING -i eth0 !<some hash on mac addr> -j TEE --gateway 192.168.99.2 # IDS2
next prev parent reply other threads:[~2009-10-22 15:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-22 12:23 bridging + load balancing bonding Jasper Spaans
2009-10-22 15:41 ` Eric Dumazet [this message]
2009-10-22 17:36 ` Jay Vosburgh
2009-10-22 17:53 ` Eric Dumazet
2009-10-23 11:45 ` Jasper Spaans
2009-10-23 11:58 ` [PATCH] Modify bonding hash transmit policies to use the packet's source MAC address Jasper Spaans
2009-10-23 12:37 ` Eric Dumazet
2009-10-23 14:08 ` Jasper Spaans
2009-10-23 16:02 ` Eric Dumazet
2009-10-23 16:23 ` Jay Vosburgh
2009-10-24 14:02 ` David Miller
2009-10-23 14:09 ` [PATCH] Remove bond_dev from xmit_hash_policy call Jasper Spaans
2009-10-23 16:05 ` Eric Dumazet
2009-10-23 16:24 ` Jay Vosburgh
2009-10-24 14:00 ` David Miller
2009-10-23 8:38 ` bridging + load balancing bonding Jasper Spaans
2009-10-23 8:55 ` Eric Dumazet
2009-10-23 9:51 ` Jasper Spaans
2009-10-23 9:54 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AE07D3C.3040702@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=spaans@fox-it.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.