Fwd: binding non local ip.
Julian Elischer
julian at freebsd.org
Tue Jan 11 19:01:02 UTC 2011
On 1/9/11 3:01 PM, joris dedieu wrote:
> ---------- Forwarded message ----------
> From: joris dedieu<joris.dedieu at gmail.com>
> Date: 2011/1/9
> Subject: Re: binding non local ip.
> To: Julian Elischer<julian at freebsd.org>
>
>
> 2011/1/7 Julian Elischer<julian at freebsd.org>:
>> On 1/7/11 4:57 AM, joris dedieu wrote:
>>> Hi,
>>> I need a to bind non local ips daemons that don't
>>> implement IP_BINDANY sockopt.
>> I'm not sure you need it
>> you can use the ipfw 'fwd' command to make a locally bound
>> socket act and look as if it is bound to a non local address
>>
>> You need to tell us a little more about what you need to do
>>
>> for example,
>> Is the socket just listenning? or is it initiating?
> listenning I think.
> Typicaly prepare a spare server.
> eg:
> - Failover as with carp but with more complexes actions has shutting
> down the power of the main server, check data consistency, check if
> the problem is not just a reboot or a buggy service that need to be
> restarted.
A listenning server can be listenning on a local port and address.
Use ipfw 'fwd' to force it to accept a non-local address socket.
the local address of the listenning socket will be switched to that
of the address on the session.
e.g.
ipfw add 100 fwd 127.0.0.1,80 tcp from any to 111.123.123.123 in recv em0
your local server listenning on 127.0.0.1:80 will end up with a socket
with a local
address of 111.123.123.123 even if that is not any address of yours.
> - Switch an ip from a main server to a already configured proxy (during a dos)
> - monitor that spare service is running.
this is easy as shown above
>>> There are several solutions as patching every single daemon
>>> or using carp (You may not want automatic failover), jailing
>>> the process and of course binding INADDR_ANY when possible ...
>>>
>>> As I'm too lazy for this, I wrote a little (maybe ugly as my
>>> kernel knowledges are really low) patch that add a sysctl
>>> entry in net.inet.ip that allow binding non local ips. It's
>>> maybe buggy and insecure but it seems to work.
>> seems ok, but if the daemon is initiating, how does it know to bind to a non
>> local address?
> It doesn't know. That's the goal. So when the address became local
> it's already ready. So you don't discover that it's misconfigured or
> broken, or that else your dummy colleague has imagined :) . You or a
> script ifconfig the alias and back to bed !
>> also. if you have source, a single setsockopt() in each one is not much of a
>> job..
> I already do this for haproxy and for apr. But (for haproxy) it seems
> to be too specific to be integrated upstreams. For other services (as
> tomcat) that don't know privileges dropping it's more problematic as
> IP_BINDANY needs in most case root privileges.
>
> I think that a system wide solution should be a good thing.
> Joris
>>
More information about the freebsd-hackers
mailing list