Re: kernel announcing ip address on wrong interface
Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> On Fri, 03 Oct 2014, Sven Hartge wrote:
>> In my experience this "problem" mostly happens to people trying to
>> cheaply load-balance connections by using two or more ethernet
>> interfaces with different IPs on the same network.
> If only it were just that. The Linux ARP defaults used to (and
> probably still do) break the perfectly sane scenario of two interfaces
> connecting two different subnets that are members of the same
> broadcast domain (same vlan/network).
One could argue that having more than one IP-subnet on the same LAN is
suboptimal. At least security wise. But such configurations exist, I
know.
> Let's not even try the scenario with two interfaces in the same subnet
> and broadcast domain...
That would be the "cheaply load-balance" case I mentioned.
Both cases always ever lead to a routing nightmare, needing extended
routing rules and routing tables, possible throwing in iptables with
fwmark to select the correct packets, etc.
Everytime I stumbled upon such a setup I made haste to remove it, either
by restructuring the network or, in a simpler case, bonding the
interfaces together and putting the IPs on the bond-interface.
So the default Linux behavior doesn't bother me that much because I
learned to avoid that pitfall from the start.
> You often need to take an extra step for the breakage to be apparent,
> such as firewalling, or a switch enforcing a secure L2 domain, etc.
Yes, having fun with port security is great because a rougue MAC
"escapes" from the wrong interface, etc.
This is were I agree with you: having a sane default in the Linux kernel
which prevents such things would be nice.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
Reply to: