From owner-freebsd-questions@freebsd.org Thu Aug 6 22:13:56 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 781213AD5B1 for ; Thu, 6 Aug 2020 22:13:56 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BN2nv56vqz3SlG for ; Thu, 6 Aug 2020 22:13:55 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-io1-xd43.google.com with SMTP id g19so39203467ioh.8 for ; Thu, 06 Aug 2020 15:13:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LnLmU/TkuS2xH02gF6EQd8w4TD3Tc2lxxWjJ3PIZWGg=; b=IU4z3ri3lyGvSq68tGLzFecD8ukuxhlo5GL/L32YkqDv7RmM4Iqbp+E6I/IbtpgsRv r/l0g2EDbxsxQ/gSN3+/fVFKzJe8kb87GOuDkEvUJfM80I4cr0qYTXKzSiWUsLYjI/KS S3VrnbhbBI51Vmi3Vo/4i0a0XRZgEqI00dg3ljTtHqLC2fSZ0+47SbAAIe8k0d6ycZjG O7VxQlqe7YMid0eiKHQBUGJ3dN2S2vNTcG4j+bC0Ueoq2XFQD1lFa08TfouQmigZntxH PaLHAo1NitzUEJnUd/InbNTf3xns9+nJUlUshw9M6Xc2KC0ry7OqxGJ5xj+4u1Lfk9xY Gi9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LnLmU/TkuS2xH02gF6EQd8w4TD3Tc2lxxWjJ3PIZWGg=; b=SPlXjverc+N1syw9Xb3rp50MucovcKGgngdhGGUD20C7wUk59vfmosIgf/O41mCrEL zpiRLZ1piW2DmsssMnVCq4qEHHxbQ5VpWqtOK0LuUMIRBv0b+mJgpsAKTu1zHyrhDhlI EzbKJ0ITRUMIa421RkvnqY0X1iHOMXRFYiIffrhCb0AtoPNyxTXkzmPA2/H92ZgrJ4qm D4PUbc4Zn6/NVnwXwxLL2+924a5bXcB/erPhz2w+FhqEBGwABbJcXusCXsKuJjf+9xHc lRf1YgATRWW2FNN+wPwWTvQNIrsZxb5r8Z/bQxF8BzqKrjsPYpUH0JjsZUFbPqomY8i7 ooVA== X-Gm-Message-State: AOAM5315BL3FpHz3+HyOFXAwqOOwgCv0CoeWvLz5mWDrIvyhtYSd5+ZE P6V2xza+xHSDk+YdYNpk2VMaToosdkD02omuiug= X-Google-Smtp-Source: ABdhPJxbz2FfDEik1nvmfUo1re3c9lU0g4jOWEWB5VJfX3NvA37b78O72A1kGuBbJCwYODjHo4bMCzbrSduu5Kc3RM0= X-Received: by 2002:a5e:d519:: with SMTP id e25mr1278952iom.36.1596752034645; Thu, 06 Aug 2020 15:13:54 -0700 (PDT) MIME-Version: 1.0 References: <89e3f48c-74a1-4198-6b17-7e13a026225b@gmail.com> <491b2176-7886-7c90-a9a4-f3a6a6a98c08@gmail.com> In-Reply-To: From: Aryeh Friedman Date: Thu, 6 Aug 2020 18:13:43 -0400 Message-ID: Subject: Re: Unroutable packer to specific IP forces process to run To: Don Wilde Cc: FreeBSD Mailing List X-Rspamd-Queue-Id: 4BN2nv56vqz3SlG X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=IU4z3ri3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of aryehfriedman@gmail.com designates 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=aryehfriedman@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.96)[-0.959]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.04)[-1.043]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.995]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d43:from]; HTTP_TO_IP(1.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Aug 2020 22:13:56 -0000 On Thu, Aug 6, 2020 at 5:58 PM Don Wilde wrote: > > On 8/6/20 2:40 PM, Aryeh Friedman wrote: > > > > On Thu, Aug 6, 2020 at 5:39 PM Don Wilde wrote: > >> >> On 8/6/20 2:35 PM, Aryeh Friedman wrote: >> >> >> >> On Thu, Aug 6, 2020 at 5:33 PM Don Wilde wrote: >> >>> >>> On 8/6/20 2:30 PM, Aryeh Friedman wrote: >>> > I have VPN that has stability problems (the fault of the ISP and they >>> admit >>> > it) I have set up one my FreeBSD machine as a router for that specific >>> VPN: >>> > # on non-gateway machines in /etc/rc.conf >>> > static_routes="internalnet2" >>> > route_internalnet2="-net 10.31.10.0/24 192.168.11.60" >>> > >>> > Is there any way to force the gateway machine to run a preset command >>> if >>> > 10.31.10.0/24 is unreachable? (i.e. reset the connection) >>> What about a simple scripted cron-job ping, Aryeh? Sometimes the >>> simplest solutions are the best. >>> >> >> The amount time the connection stays up is unpredictable and due to the >> use case it needs to be repaired immediately if down (not even a 5 min >> delay for cron to do its normal wake up and look for a job is acceptable) >> >> Understood. >> >> So how about a simple C daemon that pings every ten seconds? Just set the >> ping count to 1. >> > > System load. (the gateway also hosts 3 moderately used VM's) > > > Okay, so forget a system() call to ping. Send a packet directly to > something on the target from the C code. Even simpler, just call > getaddrinfo() on host:port of a machine at the "other" end. > I have written ICMP (clone of ping with some extras covered by a NDA) in the past and this is not as simple as it sounds (I thought it was a afternoon project it ended up taking 3 weeks [I learned a lot though]) > Honestly, I don't think you can get any simpler than this, Aryeh. There's > only so much you can juggle, and no existing package is going to be any > faster or more specifically better than what you code yourself. > I know a site that has done just this and gone a step farther and have a per user ACL for access to the net (it is a public access free shell provider m-net.arbornet.org) and it works perfectly with almost zero system load (they did say it took a kernel modification and thus me looking for a better way). > We also, IIRC, talked about how your bosses are screwing you out of > necessary resources. Sooner or later you're going to have to address that > issue head-on, but YMMV and beyond what we've already discussed it's not my > business. > Client and not boss in this case (I am a freelancer) and in this case the cost of a second license is greater than their annual income (the vendor has a really odd pricing model since the first license is quite affordable and everyone after 2 is affordable but the second one is not) and thus I actually agree with them that it is not an option. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org