From: Boian Bonev <boian@bonev.com>
To: Jason Lunz <lunz@falooley.org>, netdev@oss.sgi.com
Cc: linux-net@vger.kernel.org
Subject: Re: Do you know the TCP stack? (127.x.x.x routing)
Date: Thu, 10 Mar 2005 01:51:21 +0200 [thread overview]
Message-ID: <20050309235122.7541.qmail@orange.bonev.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1913 bytes --]
> The question, though, is: *How* do you configure the nodes within the
> chassis such that the internal IPs (whatever they are) _stay_ internal,
> and any non-127/8 addressing can be used for the external interfaces?
>
> I've done something similar, for example, using policy routing and the
> arp sysctls. Suppose you have a machine with 2 interfaces, and you want
> IP routing to happen on each of the two interfaces as independently as
> possible. My solution involves using the "iif" modifier in your routing
> rules ("ip rule" rules) to send packets to two completely different
> routing tables, and making sure arp doesn't bleed across the two
> interfaces. I don't know whether policy routing gives enough control to
> do this in a general fashion; i did it only for very specific types of
> traffic. But I suspect you could come up with something workable.
you can do that but you omit the interface addresses - suppose ext net is 10.20.10.1/24,
internal is 10.10.10.1/24, no matter what routing policies and rules you put, both interface
ips will be visible from both interfaces. now imagine you have another external net 10.30.10.1/24
and customer wants to route e.g. 10.10.0.0/16 from 10.20.10.1/24 via 10.30.10.5...
at least host 10.10.10.1 will not route but arrive locally to your blade host
btw. i have seen recently on iptables' patch-o-matic some module that could by condition route
traffic to local addresses to another host. anyway the whole thing is doable with any kind of
addresses but just imagine what nightmare startup ruleset you will have on each box; then
modify your custom rules to conform that hell ruleset and... imho it will be much more easy to
create a custom transport over ethernet (in case your ext network could share addresses form
that protocol also) and forget about ipv4 for internal implementation. thus you'd have at least
better security between worlds ;-)
b.
next reply other threads:[~2005-03-09 23:51 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-09 23:51 Boian Bonev [this message]
2005-03-10 0:23 ` Do you know the TCP stack? (127.x.x.x routing) Jason Lunz
-- strict thread matches above, loose matches on Subject: below --
2005-03-10 15:04 Steve Iribarne
2005-03-10 15:25 ` Catalin(ux aka Dino) BOIE
2005-03-10 14:35 Steve Iribarne
2005-03-10 14:49 ` Dmitry Torokhov
2005-03-09 21:57 Steve Iribarne
2005-03-10 0:11 ` jamal
2005-03-09 17:33 Steve Iribarne
2005-03-09 19:40 ` jamal
2005-03-09 15:01 Steve Iribarne
2005-03-09 16:00 ` jamal
2005-03-10 6:48 ` Catalin(ux aka Dino) BOIE
2005-03-08 15:07 Steve Iribarne
2005-03-06 2:20 Zdenek Radouch
2005-03-06 9:56 ` Martin Mares
2005-03-06 17:01 ` Zdenek Radouch
2005-03-06 17:12 ` alex
2005-03-06 17:31 ` Thomas Graf
2005-03-06 19:48 ` Zdenek Radouch
2005-03-06 20:19 ` alex
2005-03-06 20:19 ` Andi Kleen
2005-03-06 20:45 ` Thomas Graf
2005-03-06 21:30 ` Andi Kleen
2005-03-06 21:50 ` Thomas Graf
2005-03-06 21:50 ` Zdenek Radouch
2005-03-07 7:01 ` Sumit Pandya
2005-03-07 8:05 ` Eran Mann
2005-03-07 12:14 ` jamal
2005-03-07 23:50 ` jamal
2005-03-08 3:15 ` Zdenek Radouch
2005-03-08 13:34 ` jamal
2005-03-08 13:51 ` Martin Mares
2005-03-08 13:58 ` jamal
2005-03-08 14:03 ` Martin Mares
2005-03-08 14:17 ` jamal
2005-03-08 14:20 ` Martin Mares
2005-03-08 18:40 ` Henrik Nordstrom
2005-03-08 21:17 ` jamal
2005-03-09 9:09 ` Henrik Nordstrom
2005-03-09 12:39 ` jamal
2005-03-09 13:39 ` Zdenek Radouch
2005-03-09 14:18 ` jamal
2005-03-09 16:46 ` Jason Lunz
2005-03-10 10:10 ` Henrik Nordstrom
2005-03-09 17:52 ` Matt Mackall
2005-03-10 6:57 ` Catalin(ux aka Dino) BOIE
2005-03-09 22:34 ` Henrik Nordstrom
2005-03-10 1:47 ` Jamie Lokier
2005-03-08 18:34 ` Henrik Nordstrom
2005-03-09 5:33 ` Zdenek Radouch
2005-03-08 14:02 ` Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050309235122.7541.qmail@orange.bonev.com \
--to=boian@bonev.com \
--cc=linux-net@vger.kernel.org \
--cc=lunz@falooley.org \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).