Re: Source IP selection

In reply to: Ian Zimmerman : "Re: Source IP selection"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Paul Mather <paul_at_gromit.dlib.vt.edu>
Date: Thu, 16 Feb 2023 13:02:33 UTC
On Feb 16, 2023, at 12:22 AM, Ian Zimmerman <possessor.assizer305@aceecat.org> wrote:

> On Wed, Feb 15, 2023 at 06:22:40PM -0500, John Levine wrote:
>>> May the kernel choose an address through which there's no route to
>>> the destination?
>> 
>> It knows what addreses it has configured on what interfaces, and
>> what's in its local routing table, not the entire state of the global
>> Internet. The routing table just tells it what interface to use for
>> what networks. I think it does soemthing simple minded like using the
>> first address configured on the interface if you don't override that
>> with bind(). 
>> 
>> If you bind a local address and then tell it to send to a remote
>> address that isn't in the routing table for the interface the address
>> is assigned to, I have no idea what happens. Try it and let us know
>> what happens.
>> 
>> If you told us what you are trying to do, you would get more useful
>> answers.
> 
> Yes, fair enough.
> 
> This is a sysadmin question, not a programming one. I cannot recompile
> every program installed on the system to fix this (if it needs fixing).
> 
> My VPS provider (Linode) gave me a secondary address so my two nodes
> can talk to each other without accruing charges. Note that:
> 
> - it really is an alias on the same interface, *not* a VLAN
> 
> - it is not a publicly routable address (192.168.)
> 
> Here's an excerpt of the configuration, with one obvious change:
> 
> 6+1 ~$ ifconfig vtnet0
> vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>        options=4c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
> 	...
>        inet 123.123.123.4 netmask 0xffffff00 broadcast 123.123.123.255
>        inet 192.168.135.161 netmask 0xffff8000 broadcast 192.168.255.255
>        media: Ethernet autoselect (10Gbase-T <full-duplex>)
>        status: active
>        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
> 
> 7+1 ~$ netstat -rn
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            123.123.123.1       UGS      vtnet0
> 123.123.123.0/24    link#1             U        vtnet0
> 123.123.123.4       link#1             UHS         lo0
> 127.0.0.1          link#2             UH          lo0
> 192.168.128.0/17   link#1             U        vtnet0
> 192.168.135.161    link#1             UHS         lo0
> 
> Now I am concerned what happens if something like unbound sends
> to the outside world, in a client role. I don't think it binds its
> socket, how would *it* know which address to use? It lets the kernel
> decide, and I think most client programs do. So, can it get the
> secondary address?


In the specific case of unbound you can use the "outgoing-interface" option in "unbound.conf" to bind to specific IP addresses for outgoing traffic (e.g., to authoritative nameservers).  Similarly, you can use the "interface" option in "unbound.conf" to bind to specific IP addresses or interfaces to limit where you receive queries.

Many services have some similar configuration file/command line option to limit or otherwise specify which IP addresses are bound by the service when operating.

Cheers,

Paul.