|
On 08/16/2018 11:47 AM, Viktor Nonov wrote:
> Replacing the route enabled successfully sending and delivering the SYN
> packet to one of the real servers, but the SYN-ACK packet that was received
> was considered by the kernel a martian packet since the source IP was $VIP
> (assigned to the director's local interface) and destination IP - the $DIP.
> This was solved by setting accept_local to 1:
> sysctl -w net.ipv4.conf.all.accept_local=1
>
> ....
> Not sure if setting accept_local to 1 will lead to other problems, but
> everything works okay for now.
I've been arguing with myself over the risk of setting accept_local to
1. Our operations staff would really like to be able to test connections
while ssh'd into the director, but the idea that Bad Guys could forge my
own IPs makes me uncomfortable. Does anyone have field experience with
this that they can share?
<csg>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
