Age | Commit message (Collapse) | Author |
|
Move the Tor exit nodes to their own VLAN, and
their own address space.
Background for move
-------------------
For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.
When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.
Connection tracking
-------------------
Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.
In the future conntrack could also be disabled
for labicolo in general.
Current stats
~~~~~~~~~~~~~
[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071
[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack
Currently 4071 out of 39138 connections are not Tor related.
Also reading /proc/net/nf_conntrack is quite slow atm.:
[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null
real 0m35.097s
user 0m0.010s
sys 0m28.114s
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Until now BGP connections have only been established
when the space server has initiated the connection to
the peer.
It's best practice for both BGP speakers to be able to
connect to one another, lowering recovery time.
|
|
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.
Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.
This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).
Esmil: prerouting before input/forward makes more sense to me
|
|
Commit message and nftables rule fixed up by Esmil
|
|
|
|
|
|
Discovered by IMAAL Research Lab, Brigham Young University,
thank you.
|
|
|
|
This used to open up for polling our old switch for
traffic data, but it died and it doesn't work with
the new switch so let's plug the hole.
|
|
|
|
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
|
|
|
|
|
|
|
|
..but don't let colo servers connect to internal addresses.
|
|
|