| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4AE16F83.7080400@gmail.com> Date: Fri, 23 Oct 2009 10:55:31 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Jasper Spaans <spaans@...-it.com> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: bridging + load balancing bonding Jasper Spaans a écrit : > Hi Eric, > > On Thu, Oct 22, 2009 at 05:41:48PM +0200, Eric Dumazet wrote: > >> Very nice setup, and nice finding. >> >> Dont locally generated (or outed) packets have h_source set to bond_dev->dev_addr anyway ? >> >> So your solution might be the right fix... >> >> About other ideas... I was thinking of TEE target (not in mainline unfortunatly) : >> >> iptables -t mangle -A PREROUTING -i eth0 <some hash on mac addr> -j TEE --gateway 192.168.99.1 # IDS1 >> iptables -t mangle -A PREROUTING -i eth0 !<some hash on mac addr> -j TEE --gateway 192.168.99.2 # IDS2 > > Unfortunately, this won't work: the TEE target works at IP-level, and > changes mac-addresses, which is a no-go thing for us.. (and we won't be able > to see non-IP traffic such as ARP on the IDS machines) > Of course, iptables / TEE works at IP level, so you'll need some ebtables analogy to work at ethernet level. Dont you think special attention is needed for multicast/broadcast trafic (they should be sent to both IDS) ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists