[PATCH] info file for ROUTE target
Cedric de Launois
delaunois at info.ucl.ac.be
Fri Dec 10 10:03:25 CET 2004
Le ven 10/12/2004 à 01:18, Patrick McHardy a écrit :
> >I also made a new contribution, my --tee extension to ROUTE, which also
> >went completely uncommented.
> >
> >https://lists.netfilter.org/pipermail/netfilter-devel/2004-November/017515.html
> >
> I'll apply this if Cedric is fine with it.
In fact, I advised Patrick (Schaaf) to collect reactions related to its
tee extension from this list. This is because --tee duplicates a packet,
which could cause DoS security problems if not used carefully.
Thanks to conntrack, we can avoid flooding ourself with duplicated
packets. My fear is that you could still have something like this :
PC1 PC2
orig packet
|
v dup pkt 1
[ROUTE --tee --gw PC2] -------------------------.
| | ^ |
| | | v
| | '-----dup pkt 2 ---------- [ROUTE --tee --gw PC1]
| | | |
v v v v
Flood of duplicated packets Flood of duplicated packets
So we cannot make sure that people don't shoot themself. But anyway,
people using the ROUTE target are warned enough by pom...
Maybe I'm too paranoid ?
However, I think the --tee extension can really be useful. For example
to inspect pkt on other machine(s) and detect problems at line rate.
Since the ROUTE target is still an experimental target, my position is
to promote innovative (though sometimes risky) extensions. If the
extension introduces too many problems, I reserve the right to remove
it.
Thus, let's apply the patch ;)
Regards,
Cedric
More information about the netfilter-devel
mailing list