From: Eric Dumazet <eric.dumazet@gmail.com>
To: Jasper Spaans <spaans@fox-it.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: bridging + load balancing bonding
Date: Fri, 23 Oct 2009 10:55:31 +0200 [thread overview]
Message-ID: <4AE16F83.7080400@gmail.com> (raw)
In-Reply-To: <20091023083851.GA18457@spaans.fox.local>
Jasper Spaans a écrit :
> Hi Eric,
>
> On Thu, Oct 22, 2009 at 05:41:48PM +0200, Eric Dumazet wrote:
>
>> Very nice setup, and nice finding.
>>
>> Dont locally generated (or outed) packets have h_source set to bond_dev->dev_addr anyway ?
>>
>> So your solution might be the right fix...
>>
>> About other ideas... I was thinking of TEE target (not in mainline unfortunatly) :
>>
>> iptables -t mangle -A PREROUTING -i eth0 <some hash on mac addr> -j TEE --gateway 192.168.99.1 # IDS1
>> iptables -t mangle -A PREROUTING -i eth0 !<some hash on mac addr> -j TEE --gateway 192.168.99.2 # IDS2
>
> Unfortunately, this won't work: the TEE target works at IP-level, and
> changes mac-addresses, which is a no-go thing for us.. (and we won't be able
> to see non-IP traffic such as ARP on the IDS machines)
>
Of course, iptables / TEE works at IP level, so you'll need some ebtables analogy to work at ethernet level.
Dont you think special attention is needed for multicast/broadcast trafic (they should be sent to both IDS) ?
next prev parent reply other threads:[~2009-10-23 8:55 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-22 12:23 bridging + load balancing bonding Jasper Spaans
2009-10-22 15:41 ` Eric Dumazet
2009-10-22 17:36 ` Jay Vosburgh
2009-10-22 17:53 ` Eric Dumazet
2009-10-23 11:45 ` Jasper Spaans
2009-10-23 11:58 ` [PATCH] Modify bonding hash transmit policies to use the packet's source MAC address Jasper Spaans
2009-10-23 12:37 ` Eric Dumazet
2009-10-23 14:08 ` Jasper Spaans
2009-10-23 16:02 ` Eric Dumazet
2009-10-23 16:23 ` Jay Vosburgh
2009-10-24 14:02 ` David Miller
2009-10-23 14:09 ` [PATCH] Remove bond_dev from xmit_hash_policy call Jasper Spaans
2009-10-23 16:05 ` Eric Dumazet
2009-10-23 16:24 ` Jay Vosburgh
2009-10-24 14:00 ` David Miller
2009-10-23 8:38 ` bridging + load balancing bonding Jasper Spaans
2009-10-23 8:55 ` Eric Dumazet [this message]
2009-10-23 9:51 ` Jasper Spaans
2009-10-23 9:54 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AE16F83.7080400@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=spaans@fox-it.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.