SynProxy Problem with Asymmetric dual bridge topology

All of lore.kernel.org
 help / color / mirror / Atom feed

* SynProxy Problem with Asymmetric dual bridge topology
@ 2015-05-25  9:55 Niyazi Sırt
  0 siblings, 0 replies; only message in thread
From: Niyazi Sırt @ 2015-05-25  9:55 UTC (permalink / raw)
  To: netfilter

Hi,

I have a asymmetric dual bridge topology as shown below:

                       -------
                       |     |
                       ---o--- 172.16.11.5
                          |
                          |
                     -----o----- 172.16.11.6
                     |         |
                     |         | default gw 1.1.1.1
                     |         |
          1.1.1.2/30 --o----o--- 2.2.2.2/30
                       |    |
                       |    |
                       |    | (enp10s0f0)
                   ----o----o-----
                   |             |
                   |     XXX     |
                   |             |
                   |  br1   br0  | synproxy
                   |             |
                   ----o----o-----
                       |    |
                       |    |
                       |    |
          1.1.1.1/30 --o----o--- 2.2.2.1/30
                     |         |
                     |         | default gw 2.2.2.2
                     |         |
                     -----o----- 172.16.10.1
                          |
                          |
                       ---o--- 172.16.10.6
                       |     |
                       -------

On all machines between 172.16.11.5 and 172.16.10.6
"rp filtering" is off and "ip forwarding" is on.
There is a machine at the middle of topology which is
called "XXX" machine. XXX has two bridges and a SynProxy.

When SynProxy is turned OFF on XXX, I can ping from
172.16.11.5 to 172.16.10.6 and icmp packets follow
this path: br1->172.16.10.1->172.16.10.6->172.16.10.1->br0.
In addition, I can access from 172.16.11.5 to
172.16.10.6 with ssh. So the TCP traffic works as I expect.

However, when SynProxy is turned ON on XXX, I can ping
from 172.16.11.5 to 172.16.10.6 and icmp packets follow
the same path. But I can not access from 172.16.11.5
to 172.16.10.6 using ssh. This is because synproxy can
not send syn ack replies through br1 iface. If I add a
route for synack packets on XXX, i can connect from
172.16.11.5 to 172.16.10.6 with ssh.

route add 172.16.11.5 dev enp10s0f0

But this is not acceptable because 172.16.11.0 network
is cloud. So i could not add route all cloud network
to route table and could not add mac address to arp
table.

How can I connect from 172.16.11.5 to the 172.16.10.6
machine using ssh when SynProxy is turned ON on XXX?

Thanks in advance,

Niyazi

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2015-05-25  9:55 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-25  9:55 SynProxy Problem with Asymmetric dual bridge topology Niyazi Sırt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.