Within WestGrid, we have a need to have static unicast ports for venues so that firewall administrators can limit the ports required to be opened for AG usage. Assigning static multicast ports is easy; however, assigning static unicast ports is not.
I thought I'd post to the list the small hacks I've implemented to achieve static unicast ports on our Venueserver/Bridgeservers. For background, WestGrid utilizes static multicast addresses from the Netera Alliance glop space (233.59.192.x) which we have authorization to use. We also use a port numbering convention that utilizes ports in the range of 60500 - 60800 for these multicast addresses/venues. For static unicast ports, we have use a 'multicast port - 10000' convention - so our unicast range is 50500 - 50800. For AG3 bridging, we still want to offer the bridge to users not using the WestGrid Venueserver - so I start the bridge giving a range of usable ports outside of our statically used range (55000-57000). I then added a check in /usr/bin/Bridge to statically assign WestGrid venues while leaving non-WestGrid venues to be assigned within the range assigned above. Disclaimer - I am not a doctor nor do I play one on TV. I'm not sure if there are any side effects to using this hack - so don't blame me if something breaks ;-) To use this hack you'll need access to a multicast glop space and you need to make sure your static port range will not collide with your non-static port range since all checks are bypassed. This is the code I added at line 59 of /usr/bin/Bridge - just after the 'uaddr = SystemConfig.instance().GetHostname()' line: uport = None if mnl["host"].startswith( "233.59.192" ): uport = mnl["port"] - 10000; Then changed lines 64/65 from: retBridge = self.bridgeFactory.CreateBridge(id=mnl["id"], maddr=mnl["host"], mport=mnl["port"], mttl=mnl["ttl"], uaddr=uaddr,uport=none) to retBridge = self.bridgeFactory.CreateBridge(id=mnl["id"], maddr=mnl["host"], mport=mnl["port"], mttl=mnl["ttl"], uaddr=uaddr,uport=uport) For AG2.4, the hack was easier since we were only bridging our own venueserer - so we didn't have to worry about setting up bridges outside of our range. I added the following at line 560 (just after 'uport = 0' in __AddBridge: uport = streamDesc.location.port - 10000; I then commented out the proceeding lines 561-571 (the port allocation part) since we no longer need to allocate ports. I've attached diffs for anyone interested. These hacks are just that - hacks and I wouldn't recommend using them; however I know other people are in the same circumstance as WestGrid and need to limit port usage for security administrators. If anyone has any thoughts ideas on how best to implement these in a better/more practical and configurable way I'd be interested to hear (I suppose we could add a static bridge section to the bridge config file etc.) and perhaps I could look at coding something up for inclusion in the main source. Cheers, Todd
