I don't see how TEE will help me (in it's current state), I'd like to redirect ingress packets to a device without an IP address (for IDS). More specifically, I have a machine with a lot of interfaces (Openstack hypervisor), each connected to a bridge. I'd like to match the traffic on each interface using Iptables and to mirror some of it into my own interface that is connected to an ovs. There is no direct connection between the my interface and the others. The reason I'd like to use Iptables is to do all the matches and the redirects as fast as possible, instead of doing it in user space. On Fri, May 29, 2015 at 3:50 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: > > On Friday 2015-05-29 14:02, Eddi Linder wrote: > >>The matching will be L3 based, but the copy can be of all the packet, >>I'd like to simply change the dest device of it. >>I can match by source device, I don't see why it's not logical to >>target a device as an action. > > (Given "sending to a device" comes up again from time to time, let me provide > this linkable reasoning.) > > An analogy to sending to a device is commanding a ship to harbor exit #34. > > And then? Is it supposed to moor, or sink itself? > > > A destination is required. _Any_ will do, in whatever way it is derived, but > one is needed. One could for example (re)use the Ethernet address, in case of > copying from and to Ethernet. Or let one be neighbor-discovered by specifying > the L3 address with TEE's --gw. Or other magic, depending on what the link > type's needs are, and what your packet already provides in terms of fields > (which may be fewer or more in case of tunnels and such). > A destination is required, a device is only a waypoint. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
