Date: Tue, 13 Feb 2007 21:06:31 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: sthaug@nethelp.no Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Desired behaviour of "ifconfig -alias" Message-ID: <200702132006.l1DK6VLI021242@lurza.secnetix.de> In-Reply-To: <20070213.200306.74735550.sthaug@nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
sthaug@nethelp.no wrote: > > > > In that situation, wouldn't deleting the primary IP > > > cause connection issues for the rest of the IPs? > > > > No. I can delete _any_ of the above IP addresses, and the > > others would still work perfectly fine. I already did > > things like that (on a different machine). > > > > As for outgoing connections: It is true that the kernel > > picks a random matching IP address to be the source IP, > > which happens to be the first one, but that's just as > > coincidence as "-alias" picking the first one if none > > is given. ;-) > > If it is indeed true that the kernel picks a *random* IP address for > the source IP, I'd have to say that's not at all good enough. Well, "random" was probably misleading, I'm sorry. It should better be called "arbitrary", I think. > I'm all for being able to use the same netmask for several addresses > in the same subnet (I have asked for this before) - but the source IP > used by traffic generated from the host itself *must* be predictable. It _is_ predictable, it is the first address currently configured on the interface. But doing so is (was) an arbitrary decision. Of course, if you remove the first address, it will simply use the next one (which will then become the first one). On the other hand, if you need to guarantee that a certain address is used as source IP for outgoing connections, then you should explicitly bind the socket to that address. Many programs have an option to do that, or -- if they don't -- it's usually not too difficult to insert a bind(2) call into the source yourself. Another way to do it is to run the program inside a jail; you don't even have to set up a chroot if you don't want to: # jail / `hostname` $IP /path/to/program I would advise against relying on the current behaviour that the kernel always picks the first address as the source address for a subnet for unbound sockets. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart Any opinions expressed in this message are personal to the author and may not necessarily reflect the opinions of secnetix GmbH & Co KG in any way. FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "And believe me, as a C++ programmer, I don't hesitate to question the decisions of language designers. After a decent amount of C++ exposure, Python's flaws seem ridiculously small." -- Ville Vainio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702132006.l1DK6VLI021242>