Re: [net-next PATCH] net: RFC3069, private VLAN proxy arp support

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jesper Dangaard Brouer <hawk@comx.dk>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jesper Dangaard Brouer <hawk@comx.dk>,
	"David S. Miller" <davem@davemloft.net>,
	netdev@vger.kernel.org
Subject: Re: [net-next PATCH] net: RFC3069, private VLAN proxy arp support
Date: Wed, 06 Jan 2010 10:49:29 +0100	[thread overview]
Message-ID: <1262771369.9474.80.camel@jdb-workstation> (raw)
In-Reply-To: <4B4427CE.1040203@gmail.com>

On Wed, 2010-01-06 at 07:03 +0100, Eric Dumazet wrote:
> Le 05/01/2010 16:50, Jesper Dangaard Brouer a écrit :
> > This is to be used together with switch technologies, like RFC3069,
> > that where the individual ports are not allowed to communicate with
> > each other, but they are allowed to talk to the upstream router.  As
> > described in RFC 3069, it is possible to allow these hosts to
> > communicate through the upstream router by proxy_arp'ing.
> > 
> 
> Reading RFC 3069, I dont understand why it needs support on hosts
> themselves.

They don't, this patch does NOT implement support on the hosts (most of
the "hosts" in our ISP setup is peoples Windows machines).
This is intended only to be used on the router.

> > This patch basically allow proxy arp replies back to the same
> > interface (from which the ARP request/solicitation was received).
> 
> Could you give me an example of how it is used ?

Okay, that first requires an understanding of our setup, then how we use
it...

As an ISP we use this stuff on our Linux based Internet routers (these
boxes are Ethernet Layer 2 connected via VLANs to the Ethernet switches
in the customers apartment buildings).
Our primary customers are entire apartment buildings, where we basically
establish an Ethernet based network, which all apartments are connected
to.

One big Ethernet based network gives a lot of problems with people
misbehaving, viruses, broadcast packets and so on.  Thus, to solve these
issues we shield every customer/ethernet-port from each other, by using
RFC 3069 like switch technologies.

This seemed like a good solution, until customers started to run e.g.
web-servers on their home PCs.  This meant that the entire Internet
could browse their homepage, but they could not show it to their
neighbor...

This patch solved the issue by doing proxy arp'ing on the router against
the "local" network, thus making it possible for customers to
communicate, but via the router.  This also gives the ability to do
firewalling on the router between customers on an Ethernet. (In our
solution the Linux router also have a personal firewall configurable per
customer.)

It is simply enabled on an interface via e.g.:

 echo 1 > /proc/sys/net/ipv4/conf/eth2.1013/proxy_arp_pvlan

Hope that helps your understand the idea and usage :-)

-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network Kernel Developer
  Cand. Scient Datalog / MSc.CS
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

next prev parent reply	other threads:[~2010-01-06  9:44 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-05 15:50 [net-next PATCH] net: RFC3069, private VLAN proxy arp support Jesper Dangaard Brouer
2010-01-06  6:03 ` Eric Dumazet
2010-01-06  9:49   ` Jesper Dangaard Brouer [this message]
2010-01-06 10:28     ` Eric Dumazet
2010-01-06 12:52     ` Mark Smith
2010-01-06 14:17       ` Jesper Dangaard Brouer
2010-01-06 14:35         ` Mark Smith
2010-01-06 18:59       ` Jan Ceuleers
2010-01-07  8:59 ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1262771369.9474.80.camel@jdb-workstation \
    --to=hawk@comx.dk \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).