Hello All, David,
Andi Kleen wrote:
> The main use of this seem to be certain HA failover setups.
> Some people use a patch that allows to disable ARP per interface for it
> ("hidden") but for some reasons it was not integrated.
Yes, "hidden" has its own purpose which is limitted
usually to HA setups. Then Alexey proposed (from long time)
such ARP tricks to be controlled with hook(s)/rules. My ideas in
such direction resulted in "iparp" which is completed:
http://www.linuxvirtualserver.org/~julian/#iparp
Its purpose is "tuning" of ARP (the kernel's use
only), not for security. For example, it can't deal with remote
replies.
But at the same time I see David implements arptables.
May be now it is good time to ask:
David,
can you explain what kind of control will be
possible with arptables. For now, I see only filtering of
remote probes. As we know the clusters have different needs.
Can you draw a list of goals that will be achieved with
arptables and whether the 2 ARP requirements for clusters ("drop
probes to VIP" and the most needed "don't announce VIP in our
probes") will exist in arptables? The 3th requirement (used
from "hidden" to avoid problems with autoselecting VIP as src
IP can be easily solved in routing).
> It would be likely easier/more straightforward if there was a special
> ARP routing table that is only consulted by ARP filter (as an extension
> to the current multi table routing). Then you could just put reject routes
> there to filter ARP Unfortunately nobody has stepped forward to implement it
> yet, so it remained a dream so far.
>
> Another thing that was implemented is a netfilter chain for ARP, but
> afaik there are no filtering modules for it yet, so Joe User cannot
> use it. It likely just exists somewhere as a proprietary module in
> someone's firewall appliance and all they did was to contribute the
> hook. It probably would not be hard to rewrite a filter module for it,
> but again nobody did it yet.
Regards
-- Julian Anastasov <ja@ssi.bg>- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jul 15 2002 - 22:00:28 EST