Fwd: binding non local ip.
joris dedieu
joris.dedieu at gmail.com
Sun Jan 9 23:01:27 UTC 2011
---------- Forwarded message ----------
From: joris dedieu <joris.dedieu at gmail.com>
Date: 2011/1/9
Subject: Re: binding non local ip.
To: Julian Elischer <julian at freebsd.org>
2011/1/7 Julian Elischer <julian at freebsd.org>:
> On 1/7/11 4:57 AM, joris dedieu wrote:
>>
>> Hi,
>> I need a to bind non local ips daemons that don't
>> implement IP_BINDANY sockopt.
>
> I'm not sure you need it
> you can use the ipfw 'fwd' command to make a locally bound
> socket act and look as if it is bound to a non local address
>
> You need to tell us a little more about what you need to do
>
> for example,
> Is the socket just listenning? or is it initiating?
listenning I think.
Typicaly prepare a spare server.
eg:
- Failover as with carp but with more complexes actions has shutting
down the power of the main server, check data consistency, check if
the problem is not just a reboot or a buggy service that need to be
restarted.
- Switch an ip from a main server to a already configured proxy (during a dos)
- monitor that spare service is running.
>
>> There are several solutions as patching every single daemon
>> or using carp (You may not want automatic failover), jailing
>> the process and of course binding INADDR_ANY when possible ...
>>
>> As I'm too lazy for this, I wrote a little (maybe ugly as my
>> kernel knowledges are really low) patch that add a sysctl
>> entry in net.inet.ip that allow binding non local ips. It's
>> maybe buggy and insecure but it seems to work.
>
> seems ok, but if the daemon is initiating, how does it know to bind to a non
> local address?
It doesn't know. That's the goal. So when the address became local
it's already ready. So you don't discover that it's misconfigured or
broken, or that else your dummy colleague has imagined :) . You or a
script ifconfig the alias and back to bed !
> also. if you have source, a single setsockopt() in each one is not much of a
> job..
I already do this for haproxy and for apr. But (for haproxy) it seems
to be too specific to be integrated upstreams. For other services (as
tomcat) that don't know privileges dropping it's more problematic as
IP_BINDANY needs in most case root privileges.
I think that a system wide solution should be a good thing.
Joris
>
>
>> What do you think about it ?
>>
>> Thanks
>> Joris
>>
>> --- a/sys/netinet/in_pcb.c
>> +++ b/sys/netinet/in_pcb.c
>> @@ -321,6 +321,9 @@ in_pcbbind(struct inpcb *inp, struct sockaddr
>> *nam, struct ucred *cred)
>> *
>> * On error, the values of *laddrp and *lportp are not changed.
>> */
>> +static int bindany = 0; /* 1 allows to bind a non local ip */
>> +SYSCTL_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW,&bindany, 0,
>> + "Allow to bind a non local ip");
>> int
>> in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t
>> *laddrp,
>> u_short *lportp, struct ucred *cred)
>> @@ -393,8 +396,12 @@ in_pcbbind_setup(struct inpcb *inp, struct
>> sockaddr *nam, in_addr_t *laddrp,
>> * to any endpoint address, local or not.
>> */
>> if ((inp->inp_flags& INP_BINDANY) == 0&&
>> - ifa_ifwithaddr_check((struct sockaddr *)sin)
>> == 0)
>> - return (EADDRNOTAVAIL);
>> + ifa_ifwithaddr_check((struct sockaddr *)sin)
>> == 0) {
>> + if(bindany> 0)
>> + inp->inp_flags |= INP_BINDANY;
>> + else
>> + return (EADDRNOTAVAIL);
>> + }
>> }
>> laddr = sin->sin_addr;
>> if (lport) {
>> _______________________________________________
>> freebsd-hackers at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>>
>
>
More information about the freebsd-hackers
mailing list