[PATCH] info file for ROUTE target

Patrick McHardy kaber at trash.net
Tue Dec 14 03:47:00 CET 2004


Patrick Schaaf wrote:

>>My fear is that you could still have something like this :
>>
>>          PC1                                    PC2
>>
>>      orig packet     
>>           |
>>           v                  dup pkt 1
>>   [ROUTE --tee --gw PC2] -------------------------.
>>         | |   ^                                   |
>>         | |   |                                   v
>>         | |   '-----dup pkt 2 ---------- [ROUTE --tee --gw PC1]
>>         | |                                      | |
>>         v v                                      v v
>> Flood of duplicated packets            Flood of duplicated packets
>>
>
>This is easily possible. There are lots of other failure scenarios.
>
>For example, when the chosen --gw resolves through our defaul route,
>chances are good all duplicate packets will come back to us almost
>immediately. We saw this in our testing, already. TTL should always
>be properly decremented, so this is a bit self-limiting, but
>nevertheless it's certainly a dangerous thing.
>
Seems ok to me, you can also add a route via loopback, it will loop until
the ttl expires. Fact is you can shoot yourself in the foot with some
setups. I've added your patch except the file iptables/extensions/xxx :)

Regards
Patrick




More information about the netfilter-devel mailing list