[PATCH] info file for ROUTE target
Patrick McHardy
kaber at trash.net
Tue Dec 14 03:47:00 CET 2004
Patrick Schaaf wrote:
>>My fear is that you could still have something like this :
>>
>> PC1 PC2
>>
>> orig packet
>> |
>> v dup pkt 1
>> [ROUTE --tee --gw PC2] -------------------------.
>> | | ^ |
>> | | | v
>> | | '-----dup pkt 2 ---------- [ROUTE --tee --gw PC1]
>> | | | |
>> v v v v
>> Flood of duplicated packets Flood of duplicated packets
>>
>
>This is easily possible. There are lots of other failure scenarios.
>
>For example, when the chosen --gw resolves through our defaul route,
>chances are good all duplicate packets will come back to us almost
>immediately. We saw this in our testing, already. TTL should always
>be properly decremented, so this is a bit self-limiting, but
>nevertheless it's certainly a dangerous thing.
>
Seems ok to me, you can also add a route via loopback, it will loop until
the ttl expires. Fact is you can shoot yourself in the foot with some
setups. I've added your patch except the file iptables/extensions/xxx :)
Regards
Patrick
More information about the netfilter-devel
mailing list