Henrique de Moraes Holschuh <[email protected]> wrote: > On Fri, 03 Oct 2014, Sven Hartge wrote:
>> In my experience this "problem" mostly happens to people trying to >> cheaply load-balance connections by using two or more ethernet >> interfaces with different IPs on the same network. > If only it were just that. The Linux ARP defaults used to (and > probably still do) break the perfectly sane scenario of two interfaces > connecting two different subnets that are members of the same > broadcast domain (same vlan/network). One could argue that having more than one IP-subnet on the same LAN is suboptimal. At least security wise. But such configurations exist, I know. > Let's not even try the scenario with two interfaces in the same subnet > and broadcast domain... That would be the "cheaply load-balance" case I mentioned. Both cases always ever lead to a routing nightmare, needing extended routing rules and routing tables, possible throwing in iptables with fwmark to select the correct packets, etc. Everytime I stumbled upon such a setup I made haste to remove it, either by restructuring the network or, in a simpler case, bonding the interfaces together and putting the IPs on the bond-interface. So the default Linux behavior doesn't bother me that much because I learned to avoid that pitfall from the start. > You often need to take an extra step for the breakage to be apparent, > such as firewalling, or a switch enforcing a secure L2 domain, etc. Yes, having fun with port security is great because a rougue MAC "escapes" from the wrong interface, etc. This is were I agree with you: having a sane default in the Linux kernel which prevents such things would be nice. Grüße, Sven. -- Sigmentation fault. Core dumped. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
