昨天晚上12点左右,我部署了新的 "透明 "网络过滤功能。 过滤分为两类,全局过滤和特定线路过滤。
全局过滤已经在所有主机上激活了。 这可以过滤大部分的广播流量、HSRP信息和UDP 137端口流量。
Linode特定的过滤功能可以过滤广播流量,以及不以你的IP为目的地的ARP流量。
除了host1和host2之外,所有的主机都可以使用Linode特定的过滤功能。 这些需要新的内核功能,这将需要重启host1和host2(这两个主机都有超过100天的正常运行时间)。 目前,只有全局过滤和原始过滤在主机1和主机2上可用。
对于那些不在主机1和主机2上的人,要利用新的过滤规则,你必须重新启动你的Linode。
如果你进行一些tcpdumps,你应该注意到巨大的改善。
谢谢你,请享用!
-克里斯
评论 (1)
[quote:496f1af48f=”caker”]The Linode specific filtering is available on all the hosts except host1 and host2. These require new kernel features which would require a reboot of host1 and host2 (both have over 100 days uptime). For now, only the global filtering and the original filtering is available on host1 and host2.[/quote]
Ahh! Okay — I was just running tcpdump to debug some stuff, so I was wondering what you were smoking there for a minute. This brings up an important point though: we all enjoy long uptimes, especially for the host nodes. What’s more, I’ve certainly had Linux boxes enjoy uptimes of over a year, and I’ve heard of much longer. Yet, I’m sure that there will be a need to upgrade the host machines every now and then, so have you considered having some sort of scheduled maintanence window where we can plan on our nodes going down, take any appropriate precausions, and be ready to do whatever we need when the host comes back up? I’m thinking something really infrequent, like once a year or something.
Just a thought.
-“Zow”