From owner-freebsd-hackers@FreeBSD.ORG Mon Jan 17 13:22:52 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BB781065670; Mon, 17 Jan 2011 13:22:52 +0000 (UTC) (envelope-from joris.dedieu@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id D82458FC15; Mon, 17 Jan 2011 13:22:51 +0000 (UTC) Received: by mail-fx0-f54.google.com with SMTP id 16so6125798fxm.13 for ; Mon, 17 Jan 2011 05:22:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bL+0P8MRt1e99aKNQjSVOQQ4TO4+lzyZdzKv0EenqV4=; b=KWcg7/CyNwVa7h8KyC4xkuGDKYBbxnncVJ3Wi+othT0QFwmJgo+S55lnRpLaR+B51A o6gl9ZJnu9oqLe427dafJSYV0Gnr7CH1D9hCO8VEh2W70ErSkM1GavNnYamNh7eNg4Sl MeeMXeCsnx37vMumWrFle+MEAGi3Hdsun67Lo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=R64RXY+xfbCugZ7r5dG9/yyCoZUSSCZlCV7CZ2pJsy8O3qAPOCyNWiPqgKC5cvXpLK MVrj+m+aoG6J53HiWJ7+1vgP2ApuOR84wffi+cVhpqVeIBNC0x4AsaMILuf7peklgd/4 hSxraF98BLE40klN+lq/NTsmsqT+tBE0tS6vo= MIME-Version: 1.0 Received: by 10.223.86.1 with SMTP id q1mr4818213fal.107.1295270571447; Mon, 17 Jan 2011 05:22:51 -0800 (PST) Received: by 10.223.71.203 with HTTP; Mon, 17 Jan 2011 05:22:51 -0800 (PST) In-Reply-To: <4D2CA5E8.9070003@freebsd.org> References: <4D274C5E.500@freebsd.org> <4D2CA5E8.9070003@freebsd.org> Date: Mon, 17 Jan 2011 14:22:51 +0100 Message-ID: From: joris dedieu To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers Subject: Re: Fwd: binding non local ip. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2011 13:22:52 -0000 Hi Julian and many thanks for your comments. 2011/1/11 Julian Elischer : > On 1/9/11 3:01 PM, joris dedieu wrote: >> >> ---------- Forwarded message ---------- >> From: joris dedieu >> Date: 2011/1/9 >> Subject: Re: binding non local ip. >> To: Julian Elischer >> >> >> 2011/1/7 Julian Elischer: >>> >>> On 1/7/11 4:57 AM, joris dedieu wrote: >>>> >>>> Hi, >>>> I need a to bind non local ips =A0daemons that don't >>>> implement IP_BINDANY sockopt. >>> >>> I'm not sure you need it >>> you can use the ipfw 'fwd' command to make a locally bound >>> socket act and look as if it is bound to a non local address >>> >>> You need to tell us a little more about what you need to do >>> >>> for example, >>> Is the socket just listenning? or is it initiating? >> >> listenning I think. >> Typicaly prepare a spare server. >> eg: >> - Failover as with carp but with more complexes actions has shutting >> down the power of the main server, check data consistency, check if >> the problem is not just a reboot or a buggy service that =A0need to be >> restarted. > > A listenning server can be listenning on a local port and address. > Use ipfw 'fwd' to force it to accept a non-local address socket. > the local address of the listenning socket will be switched to that > of the address on the session. > > e.g. > ipfw add 100 fwd 127.0.0.1,80 tcp from any to 111.123.123.123 in recv em0 > > your local server listenning on 127.0.0.1:80 will end up with a socket wi= th > a local > address of 111.123.123.123 =A0even if that is not any address of yours. > >> - Switch an ip from a main server to a already configured proxy (during = a >> dos) >> - monitor that spare service is running. > > this is easy as shown above As I said above there are several workarounds depending on the context. I agree enabling ipfw is not the worst. In my thought, the goal of this pat= ch is just to offer a simple answer to a simple question. How to bind a non local ip under FreeBSD ? For now the answer is implement = it with IP_BINDANY or do has if (with firewalling) or do it an other way. I know it. I do it that way on my job every days. I just think "turn on sysctl.XXX.YYY", is one of those little things you ar= e happy to find. Best regards Joris > >>>> There are several solutions as patching every single daemon >>>> or using carp (You may not want automatic failover), jailing >>>> the process and of course binding INADDR_ANY when possible ... >>>> >>>> As I'm too lazy for this, I wrote a little (maybe ugly as my >>>> kernel knowledges are really low) patch that add a sysctl >>>> entry in net.inet.ip that allow binding non local ips. It's >>>> maybe buggy and insecure but it seems to work. >>> >>> seems ok, but if the daemon is initiating, how does it know to bind to = a >>> non >>> local address? >> >> It doesn't know. That's the goal. So when the address became local >> it's already ready. So you don't discover that it's misconfigured or >> broken, or that else your dummy colleague has imagined :) . You or a >> script ifconfig the alias and back to bed ! >>> >>> also. if you have source, a single setsockopt() in each one is not much >>> of a >>> job.. >> >> I already do this for haproxy and for apr. But (for haproxy) it seems >> to be too specific to be integrated upstreams. For other services (as >> tomcat) that don't know privileges dropping it's more problematic as >> IP_BINDANY needs in most case root privileges. >> >> I think that a system wide solution should be a good thing. >> Joris >>> > >