[PATCH] info file for ROUTE target

Cedric de Launois delaunois at info.ucl.ac.be
Fri Dec 10 10:03:25 CET 2004


Le ven 10/12/2004 à 01:18, Patrick McHardy a écrit :
> >I also made a new contribution, my --tee extension to ROUTE, which also
> >went completely uncommented.
> >
> >https://lists.netfilter.org/pipermail/netfilter-devel/2004-November/017515.html
> >
> I'll apply this if Cedric is fine with it.

In fact, I advised Patrick (Schaaf) to collect reactions related to its
tee extension from this list. This is because --tee duplicates a packet,
which could cause DoS security problems if not used carefully.
Thanks to conntrack, we can avoid flooding ourself with duplicated
packets. My fear is that you could still have something like this :

          PC1                                    PC2

      orig packet     
           |
           v                  dup pkt 1
   [ROUTE --tee --gw PC2] -------------------------.
         | |   ^                                   |
         | |   |                                   v
         | |   '-----dup pkt 2 ---------- [ROUTE --tee --gw PC1]
         | |                                      | |
         v v                                      v v
 Flood of duplicated packets            Flood of duplicated packets

So we cannot make sure that people don't shoot themself. But anyway,
people using the ROUTE target are warned enough by pom...
Maybe I'm too paranoid ?

However, I think the --tee extension can really be useful. For example
to inspect pkt on other machine(s) and detect problems at line rate.

Since the ROUTE target is still an experimental target, my position is
to promote innovative (though sometimes risky) extensions. If the
extension introduces too many problems, I reserve the right to remove
it.

Thus, let's apply the patch ;)

Regards,

Cedric







More information about the netfilter-devel mailing list