On Sun, 2002-11-17 at 21:43, Julian Anastasov wrote: > Hello, > Hi ! > On Sun, 17 Nov 2002, Vincent Jaussaud Mailing Listes wrote: > > Yes, this is a problem, job for user space tools to change > the routing settings on failure. Ok, I think I can manage to write some scripts to manage the routing rules, depending on the state of the links. > Should not happen for TCP servers but sometimes the UDP servers > are not smart enough when used on multihomed servers. See below. Ok. If all TCP Servers behaves correctly, then it's all I need. > > Firewall with rp_filter set on internal interfaces > expects the traffic to come from the right internal interface (I > assume you have the two pubnets configured on different internal > interfaces). There is no such problem if the internal interfaces > do not use rp_filter. Right. And disabling rp_filter might open a security hole; so I'll ensure traffic always go through the right interface. > > > I mean, we don't really care what link is beeing used for a reply, as soon as > > the SRC IP & DST IP are correct. It's likely that ISP1 & ISP2 router won't do > > source address validation anyway. Am I wrong ? > > If the ISPs allow spoofing then while the links are alive > there is no problem, it comes when some ISP fails. We should stop > using its addresses in this case. > Right. > daddr is always used. > > Some examples (of course, there are other route keys used, > not shown here): > > - TCP connect() for unbound socket uses saddr=0.0.0.0 daddr=REMOTE_IP. > The routing then returns the best source IP to use for this connection > after creating a connected route in the routing cache. What do you mean by "unbound socket" ? > - TCP connect() after bind() uses saddr=LOCAL_IP daddr=REMOTE_IP > > - TCP listener uses saddr=LOCAL_IP daddr=REMOTE_IP when replying to > SYN > > - UDP can also avoid using 0.0.0.0 as saddr if the socket is bound > or when IP_PKTINFO contains local IP information. If the app does > not take steps to inform the kernel that this socket is bound > to some local IP when sending the packet then 0.0.0.0 is used > as src IP for the route lookup (ignoring the fact that this > UDP packet has known saddr in iphdr). So, it depends both on > transport and on app to feed the routing with the right keys. > Ok. Seems like I'll have to make some heavy testing. :) Thanks again. Vincent. > > Vincent. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Vincent Jaussaud <tatooin@kelkoo.com> Kelkoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
