Unroutable packer to specific IP forces process to run

Thu Aug 6 22:13:56 UTC 2020

On Thu, Aug 6, 2020 at 5:58 PM Don Wilde <dwilde1 at gmail.com> wrote:

>
> On 8/6/20 2:40 PM, Aryeh Friedman wrote:
>
>
>
> On Thu, Aug 6, 2020 at 5:39 PM Don Wilde <dwilde1 at gmail.com> wrote:
>
>>
>> On 8/6/20 2:35 PM, Aryeh Friedman wrote:
>>
>>
>>
>> On Thu, Aug 6, 2020 at 5:33 PM Don Wilde <dwilde1 at gmail.com> wrote:
>>
>>>
>>> On 8/6/20 2:30 PM, Aryeh Friedman wrote:
>>> > I have VPN that has stability problems (the fault of the ISP and they
>>> admit
>>> > it) I have set up one my FreeBSD machine as a router for that specific
>>> VPN:
>>> > # on non-gateway machines in /etc/rc.conf
>>> > static_routes="internalnet2"
>>> > route_internalnet2="-net 10.31.10.0/24 192.168.11.60"
>>> >
>>> > Is there any way to force the gateway machine to run a preset command
>>> if
>>> > 10.31.10.0/24 is unreachable?  (i.e. reset the connection)
>>> What about a simple scripted cron-job ping, Aryeh? Sometimes the
>>> simplest solutions are the best.
>>>
>>
>> The amount time the connection stays up is unpredictable and due to the
>> use case it needs to be repaired immediately if down (not even a 5 min
>> delay for cron to do its normal wake up and look for a job is acceptable)
>>
>> Understood.
>>
>> So how about a simple C daemon that pings every ten seconds? Just set the
>> ping count to 1.
>>
>
> System load.  (the gateway also hosts 3 moderately used VM's)
>
>
> Okay, so forget a system() call to ping. Send a packet directly to
> something on the target from the C code. Even simpler, just call
> getaddrinfo() on host:port of a machine at the "other" end.
>

I have written ICMP (clone of ping with some extras covered by a NDA) in
the past and this is not as simple as it sounds (I thought it was a
afternoon project it ended up taking 3 weeks [I learned a lot though])

> Honestly, I don't think you can get any simpler than this, Aryeh. There's
> only so much you can juggle, and no existing package is going to be any
> faster or more specifically better than what you code yourself.
>
I know a site that has done just this and gone a step farther and have a
per user ACL for access to the net (it is a public access free shell
provider m-net.arbornet.org) and it works perfectly with almost zero system
load (they did say it took a kernel modification and thus me looking for a
better way).

> We also, IIRC, talked about how your bosses are screwing you out of
> necessary resources. Sooner or later you're going to have to address that
> issue head-on, but YMMV and beyond what we've already discussed it's not my
> business.
>

Client and not boss in this case (I am a freelancer) and in this case the
cost of a second license is greater than their annual income (the vendor
has a really odd pricing model since the first license is quite affordable
and everyone after 2 is affordable but the second one is not) and thus I
actually agree with them that it is not an option.

-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org