Date: Fri, 19 Apr 2002 14:15:00 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Brett Glass <brett@lariat.org> Cc: chat@freebsd.org Subject: Re: How to control address used by INADDR_ANY? Message-ID: <3CC088D4.F21A3656@mindspring.com> References: <4.3.2.7.2.20020419144005.0358c610@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote: > As best I can tell, the trouble is that when a process running on the > router itself opens an outbound socket with INADDR_ANY (which most > networked applications do), it picks 10.X.Y.Z as the source address > instead of A.B.C.1. INADDR_ANY means "I don't care". FreeBSD's "I don't care" is a bit different in implementation than Cisco's "I don't care". 8-(. Since you apparently *do* care, you must bind a specific address for outbound connections. Note that FreeBSD will still treat the port space for anonymous ports as if it were the INADDR_ANY space, so you will be limited to 65535 outbound connections, even though you have more than one IP address to bind outbound connections to. > What's the easiest way to specify the address to be used as the source > address when an app opens an outbound socket with INADDR_ANY? I'm unclear > about how the system is picking it now (I haven't yet found the place in > the source where this decision is made), but it seems to be picking > 10.X.Y.Z, which of course will not work. It picks the first address on the first interface on the subnet for the destination address in question, which may not be the "right" address. Probably you can make it work by setting the IP address to the one for the bridged network, and then setting the 10. address to be the alias, instead of the bridged address. Really, this is a bug in the FreeBSD code, in that it is not treating the IP address/port pair on the destination as the route to choose the "proper" origin address. You'll see the same thing in NFS TCP connections, where the remote host will believe you are trying to "spoof" packets because the response doesn't come from the same IP address to which the request was made. Short of rewriting a lot of the stack to reorder the anonymous address handling (e.g. to make it work like Cisco equipment does), it's probably best to just bind outgoing interfaces manually, and deal with the netmask in your proxy app. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CC088D4.F21A3656>