From owner-freebsd-stable@FreeBSD.ORG Tue Feb 13 20:06:39 2007 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0292D16A400 for ; Tue, 13 Feb 2007 20:06:39 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id 6BE5813C471 for ; Tue, 13 Feb 2007 20:06:38 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (tmzebi@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id l1DK6V7V021243; Tue, 13 Feb 2007 21:06:36 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id l1DK6VLI021242; Tue, 13 Feb 2007 21:06:31 +0100 (CET) (envelope-from olli) From: Oliver Fromme Message-Id: <200702132006.l1DK6VLI021242@lurza.secnetix.de> To: sthaug@nethelp.no Date: Tue, 13 Feb 2007 21:06:31 +0100 (CET) In-Reply-To: <20070213.200306.74735550.sthaug@nethelp.no> X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 13 Feb 2007 21:06:37 +0100 (CET) Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Desired behaviour of "ifconfig -alias" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 20:06:39 -0000 sthaug@nethelp.no wrote: > > > > In that situation, wouldn't deleting the primary IP > > > cause connection issues for the rest of the IPs? > > > > No. I can delete _any_ of the above IP addresses, and the > > others would still work perfectly fine. I already did > > things like that (on a different machine). > > > > As for outgoing connections: It is true that the kernel > > picks a random matching IP address to be the source IP, > > which happens to be the first one, but that's just as > > coincidence as "-alias" picking the first one if none > > is given. ;-) > > If it is indeed true that the kernel picks a *random* IP address for > the source IP, I'd have to say that's not at all good enough. Well, "random" was probably misleading, I'm sorry. It should better be called "arbitrary", I think. > I'm all for being able to use the same netmask for several addresses > in the same subnet (I have asked for this before) - but the source IP > used by traffic generated from the host itself *must* be predictable. It _is_ predictable, it is the first address currently configured on the interface. But doing so is (was) an arbitrary decision. Of course, if you remove the first address, it will simply use the next one (which will then become the first one). On the other hand, if you need to guarantee that a certain address is used as source IP for outgoing connections, then you should explicitly bind the socket to that address. Many programs have an option to do that, or -- if they don't -- it's usually not too difficult to insert a bind(2) call into the source yourself. Another way to do it is to run the program inside a jail; you don't even have to set up a chroot if you don't want to: # jail / `hostname` $IP /path/to/program I would advise against relying on the current behaviour that the kernel always picks the first address as the source address for a subnet for unbound sockets. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart Any opinions expressed in this message are personal to the author and may not necessarily reflect the opinions of secnetix GmbH & Co KG in any way. FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "And believe me, as a C++ programmer, I don't hesitate to question the decisions of language designers. After a decent amount of C++ exposure, Python's flaws seem ridiculously small." -- Ville Vainio