Hi,
On Sun, Apr 21, 2013 at 10:02:59PM +0200, Herbert Poetzl wrote:
> On Fri, Apr 19, 2013 at 08:04:01PM +0200, Art -kwaak- van Breemen wrote:
> > But remember: that "network" will not be private.
> > It will be accessible by any interface on the server.
>
> again, depends on the configuration, for example
> rp_filter and routing tables can easily prevent
> certain interfaces from advertising certain IPs
> and of course, from responding to any packets.
It will wreck havoc. The right settings are not rp_filter but
arp_ignore. If you do not change arp_ignore to at least 1, you
will gladly answer for any arp on any interface destined for any
IP you think you might have ;-).
Host: "Who has the this ip (which is the gateway ip)"
You: "That's me! me! (arp-ignore=0)"
To make matters worse: you can accidently update a neighbours
table with a VIP adres if your arp_announce is set too low :-).
That's why I have vlarp: to update neighbour tables (and to
prevent unicast flooding):
http://217.196.41.9/~ard/vlarp/vlarp-me-arder-1.0/
rp_filter only comes after that:
Host: "here is my data, well actually from a vip you don't know
about"
You: "I don't know about that. I drop it".
And: multiple routing tables are only about routing :-). You must
dose your teachings in small portions:
Teaching 1)
See and behold the beauty and the simplicity of the ip stack.
Teaching 2)
See and understand the beauty of multiple routing tables.
Teaching 3)
Understand teachings 1 and 2 when you put them in seperate
network namespaces :-).
(Yes, I have multiple routing tables in multiple network
namespaces and am using network contexts too).
Regards,
Ard
Received on Mon Apr 22 16:47:03 2013