LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Relax source validation: VS/DR and VS/TUN as def gw

from [Julian Anastasov] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Relax source validation: VS/DR and VS/TUN as def gw
Cc: Stephen Zander <gibreel@xxxxxxxxx>, Lars Marowsky-Bree <lmb@xxxxxxx>, Horms <horms@xxxxxxxxxxxx>
From: Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Mar 2000 16:10:19 +0200 (EET) 
        Hello,

        Testers are needed.

        This is a patch (2.2.15pre9) that allows real servers
to use the director as default gateway in VS/DR and VS/TUN mode.
It must be applied in the Director. We try to control via
/prot/sys/net/ipv4/conf/<internal_nic>/rp_filter wether
the packets with saddr=local_ip and daddr=non_local_ip will be
forwarded or dropped as martians. Currently, they are
unconditionally dropped from the kernel which is not very good.
Packets with saddr=local_ip1 and daddr=local_ip2 are dropped (this
is not changed).

        I didn't tested this patch: 2 NICs are required: one
for the external net and one for the internal net (with the real
servers). It is not working with one NIC.

        This is my first attempt to break the routing, so don't
try this patch in production nor if your firewall is not set up
correctly. This is _ALPHA_ quality patch and it can be wrong!

        After applying this patch it is recommended that
*/rp_filter must be 1. rp_filter must be 0 only for the internal
device, i.e. where the real servers reside. By this way we
allow real servers to send packets with saddr=VIP and daddr=client
through the Director. Of course, you can use default values
(*/rp_filter=0) for the test.

        If this patch is applied and external_eth/rp_filter is
0 (which is the default) the real servers can receive packets
with saddr=any_director_ip and dst=any_RIP_or_VIP which is not
very good. So, rp_filter=1 on the external net must be used for
better security.

        Don't forget to set all/rp_filter=1

        So, I expect your test results:

- is it working
- is it working for long time (minutes/hours/days?)
- are there any explosions^H^H^H^H^H^H^H^H^H^Hnetwork problems

Note:

- the kernel defaults to */rp_filter=0 which is not good for the
security but the drawback is that the internal hosts can be fooled
that they talk with the default gateway (the patched router). This can
be solved by changing the rp_filter values. But the good firewall can
solve all these problems.


Regards

--
Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>

Attachment: fib-2215pre9-1.diff
Description: Relax source validation, patch against 2.2.15pre9
















[More with this subject...]










<Prev in Thread]
Current Thread
[Next in Thread>




















Previous by Date: 
Re: Hopping to VIP on other real servers, Joseph Mack




Next by Date: 
Re: Relax source validation: VS/DR and VS/TUN as def gw, Stephen Zander




Previous by Thread: 
[PATCH] Hidden devices for 2.3.41+, Julian Anastasov




Next by Thread: 
Re: Relax source validation: VS/DR and VS/TUN as def gw, Stephen Zander




Indexes: 
[Date]
[Thread]
[Top]
[All Lists]