Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Jan 2011 00:01:24 +0100
From:      joris dedieu <joris.dedieu@gmail.com>
To:        freebsd-hackers <freebsd-hackers@freebsd.org>
Subject:   Fwd: binding non local ip.
Message-ID:  <AANLkTiniSFrHV8Z84uH2H3HdLaFm7Kj=xS5Tyv0y1cfc@mail.gmail.com>
In-Reply-To: <AANLkTimyOFs4%2BHTPzhjkJnRYQfV3A_77M3zZsM2PXXkO@mail.gmail.com>
References:  <AANLkTimJBkTdgs4P=XjHyTCinfCOn0Ku8bEVcR-q=Dzc@mail.gmail.com> <4D274C5E.500@freebsd.org> <AANLkTimyOFs4%2BHTPzhjkJnRYQfV3A_77M3zZsM2PXXkO@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
---------- Forwarded message ----------
From: joris dedieu <joris.dedieu@gmail.com>
Date: 2011/1/9
Subject: Re: binding non local ip.
To: Julian Elischer <julian@freebsd.org>


2011/1/7 Julian Elischer <julian@freebsd.org>:
> On 1/7/11 4:57 AM, joris dedieu wrote:
>>
>> Hi,
>> I need a to bind non local ips =A0daemons that don't
>> implement IP_BINDANY sockopt.
>
> I'm not sure you need it
> you can use the ipfw 'fwd' command to make a locally bound
> socket act and look as if it is bound to a non local address
>
> You need to tell us a little more about what you need to do
>
> for example,
> Is the socket just listenning? or is it initiating?
listenning I think.
Typicaly prepare a spare server.
eg:
- Failover as with carp but with more complexes actions has shutting
down the power of the main server, check data consistency, check if
the problem is not just a reboot or a buggy service that =A0need to be
restarted.
- Switch an ip from a main server to a already configured proxy (during a d=
os)
- monitor that spare service is running.
>
>> There are several solutions as patching every single daemon
>> or using carp (You may not want automatic failover), jailing
>> the process and of course binding INADDR_ANY when possible ...
>>
>> As I'm too lazy for this, I wrote a little (maybe ugly as my
>> kernel knowledges are really low) patch that add a sysctl
>> entry in net.inet.ip that allow binding non local ips. It's
>> maybe buggy and insecure but it seems to work.
>
> seems ok, but if the daemon is initiating, how does it know to bind to a =
non
> local address?
It doesn't know. That's the goal. So when the address became local
it's already ready. So you don't discover that it's misconfigured or
broken, or that else your dummy colleague has imagined :) . You or a
script ifconfig the alias and back to bed !
> also. if you have source, a single setsockopt() in each one is not much o=
f a
> job..
I already do this for haproxy and for apr. But (for haproxy) it seems
to be too specific to be integrated upstreams. For other services (as
tomcat) that don't know privileges dropping it's more problematic as
IP_BINDANY needs in most case root privileges.

I think that a system wide solution should be a good thing.
Joris
>
>
>> What do you think about it ?
>>
>> Thanks
>> Joris
>>
>> --- a/sys/netinet/in_pcb.c
>> +++ b/sys/netinet/in_pcb.c
>> @@ -321,6 +321,9 @@ in_pcbbind(struct inpcb *inp, struct sockaddr
>> *nam, struct ucred *cred)
>> =A0 *
>> =A0 * On error, the values of *laddrp and *lportp are not changed.
>> =A0 */
>> +static int =A0 =A0 bindany =3D 0; /* 1 allows to bind a non local ip */
>> +SYSCTL_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW,&bindany, 0,
>> + =A0 =A0"Allow to bind a non local ip");
>> =A0int
>> =A0in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t
>> *laddrp,
>> =A0 =A0 =A0u_short *lportp, struct ucred *cred)
>> @@ -393,8 +396,12 @@ in_pcbbind_setup(struct inpcb *inp, struct
>> sockaddr *nam, in_addr_t *laddrp,
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0* to any endpoint add=
ress, local or not.
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0*/
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if ((inp->inp_flags& =A0=
INP_BINDANY) =3D=3D 0&&
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifa_ifwithaddr_che=
ck((struct sockaddr *)sin)
>> =3D=3D 0)
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (EA=
DDRNOTAVAIL);
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ifa_ifwithaddr_che=
ck((struct sockaddr *)sin)
>> =3D=3D 0) {
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if(bindany=
> =A00)
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 inp->inp_flags |=3D INP_BINDANY;
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 else
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 return (EADDRNOTAVAIL);
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 }
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 }
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 laddr =3D sin->sin_addr;
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (lport) {
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.or=
g"
>>
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTiniSFrHV8Z84uH2H3HdLaFm7Kj=xS5Tyv0y1cfc>