FR: set source ip #55
Comments
|
An sFlow collector should never pay much attention to the IP source address of the sFlow datagrams. The collector should only look at the sFlow agent address, which is a field in the sFlow payload that is intended to be the unique identifier for the agent. This allows for the sFlow to take any available route, or be forwarded on without spoofing or tunneling. If your question is really about avoiding untrusted paths, then I think it would work just as well to use a VRF (which you can specify in the collector{} spec in hsflowd.conf), or add an extra route to the routing table, or even add an iptables rule. An option to call bind() on the socket in the hsflowd code is certainly possible, but it seems to me like it might cause as many problems as it solves. What do you think? |
|
The collector can be protected by a firewall. UDP packets may have a spoofed source IP address, but nevertheless firewall can be used sometime. One fixed IP is more usable in this case.
If there is an opportunity then there is a choice. What problems do you expect when using bind()? |
|
Well, I'd forgotten we did this, but if you specify something like this: collector { ip=10.1.2.3 dev=eth0 } then I believe it will effectively bind to eth0. It's just that it happens not with bind() but with this call: So please try adding the dev=IF setting and let me know if that works the way you want it to. (You can also specify a namespace in the collector{} section if you need to). |
I try "collector { ip=x.x.x.x dev=lo2 }". IP of lo2 is used, but packets are also sent to lo2. The point of this FR is not to be tied to interfaces through which traffic can send from host. |
Sometimes a device has multiple interfaces and dynamic routing is used. The statistic can be sent via different interfaces in this case. It would be nice to be able to specify the source ip (or source interface) for statistic packets.
The text was updated successfully, but these errors were encountered: