On 1/9/11 3:01 PM, joris dedieu wrote:
---------- Forwarded message ----------
From: joris dedieu<joris.ded...@gmail.com>
Date: 2011/1/9
Subject: Re: binding non local ip.
To: Julian Elischer<jul...@freebsd.org>
2011/1/7 Julian Elischer<jul...@freebsd.org>:
On 1/7/11 4:57 AM, joris dedieu wrote:
Hi,
I need a to bind non local ips daemons that don't
implement IP_BINDANY sockopt.
I'm not sure you need it
you can use the ipfw 'fwd' command to make a locally bound
socket act and look as if it is bound to a non local address
You need to tell us a little more about what you need to do
for example,
Is the socket just listenning? or is it initiating?
listenning I think.
Typicaly prepare a spare server.
eg:
- Failover as with carp but with more complexes actions has shutting
down the power of the main server, check data consistency, check if
the problem is not just a reboot or a buggy service that need to be
restarted.
A listenning server can be listenning on a local port and address.
Use ipfw 'fwd' to force it to accept a non-local address socket.
the local address of the listenning socket will be switched to that
of the address on the session.
e.g.
ipfw add 100 fwd 127.0.0.1,80 tcp from any to 111.123.123.123 in recv em0
your local server listenning on 127.0.0.1:80 will end up with a socket
with a local
address of 111.123.123.123 even if that is not any address of yours.
- Switch an ip from a main server to a already configured proxy (during a dos)
- monitor that spare service is running.
this is easy as shown above
There are several solutions as patching every single daemon
or using carp (You may not want automatic failover), jailing
the process and of course binding INADDR_ANY when possible ...
As I'm too lazy for this, I wrote a little (maybe ugly as my
kernel knowledges are really low) patch that add a sysctl
entry in net.inet.ip that allow binding non local ips. It's
maybe buggy and insecure but it seems to work.
seems ok, but if the daemon is initiating, how does it know to bind to a non
local address?
It doesn't know. That's the goal. So when the address became local
it's already ready. So you don't discover that it's misconfigured or
broken, or that else your dummy colleague has imagined :) . You or a
script ifconfig the alias and back to bed !
also. if you have source, a single setsockopt() in each one is not much of a
job..
I already do this for haproxy and for apr. But (for haproxy) it seems
to be too specific to be integrated upstreams. For other services (as
tomcat) that don't know privileges dropping it's more problematic as
IP_BINDANY needs in most case root privileges.
I think that a system wide solution should be a good thing.
Joris
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
