[Olsr-dev] Asymmetric ipip not working
Markus Kittenberger
(spam-protected)
Mon Apr 26 10:07:42 CEST 2010
On Mon, Apr 26, 2010 at 9:58 AM, Sven-Ola Tuecke <(spam-protected)> wrote:
> Moins,
>
> hhm. dunno yet. I don't think that adding iptables-functions to olsrd is a
> good thing. A routing daemon should not fiddle to much with the system
> besides routing tables IMO.
>
yes it should not,.. *G
but it would allow many nice things,..
e.g. loop detection via special iptables countinf rules
policyrouting on 2.4 system with ipv6 *G
Markus
> Besides that: the rp_filter stuff is getting nasty. As I wrote, the
> itunl0.rp_filter=0 is required on 2.6.31. There's already a query in
> linux/net.c, some "if is_at_least_linuxkernel_2_6_31". On 2.6.30 there is a
> tunl0.rp_filter file, but on 2.6.18 (my XEN based gateway server) does not
> offer rp_filter for the ipip tunnel device. Same on 2.4.30...
>
> Hmmm.
>
> // Sven-Ola
>
> Am Montag 26 April 2010 09:25:50 schrieb Henning Rogge:
> > On Mon April 26 2010 08:57:27 Sven-Ola Tuecke wrote:
> > > And one more: I need to re-check the security implications. Suppose you
> > > do a telnet 127.0.0.1 which is encapsulated in ipip or something
> similar.
> > > Your firewall may be surprised (even if that simple telnet does not
> > > work)...
> >
> > Maybe there should be an additional firewall rule for traffic coming out
> of
> > the generic tunnel-endpoint to block this ?
> >
> > Henning Rogge
>
>
>
> --
> Olsr-dev mailing list
> (spam-protected)
> http://lists.olsr.org/mailman/listinfo/olsr-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.olsr.org/pipermail/olsr-dev/attachments/20100426/e661409c/attachment.html>
More information about the Olsr-dev
mailing list