[OpenAFS-devel] 1.4.8 has (re) introduced IP address ACL
problems?
Jeffrey Hutzelman
jhutz@cmu.edu
Tue, 09 Dec 2008 03:36:57 -0500
--On Monday, December 08, 2008 10:47:42 PM -0500 Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> Deon George wrote:
>> The server has many NIC's - and thus each NIC has its own address (and
>> subnet). (Each NIC only has 1 address).
>>
>> Thus, I have limited the address that openafs uses using a NetInfo file
>> (in /usr/afs/local and in /usr/vice/etc).
>>
>> [root@penguin local]# cat /usr/afs/local/NetInfo
>> 10.1.3.1
>> [root@penguin local]# cat /usr/vice/etc/NetInfo
>> 10.1.3.1
>>
>> ...deon
>
> The NetRestrict file would remove unwanted addresses. The NetInfo
> file adds addresses that otherwise would be unknown.
>
> See the man pages. http://www.openafs.org/manpages/
That man page does not agree with my recollection of how the software
actually works. Since I just checked the code and my recollection agrees
with the code, the man page is wrong.
The NetInfo file restricts the set of interfaces that can be used, and has
the behavior Deon expects. If a NetInfo file is present, then only
addresses listed in it are advertised, period. If a NetRestrict file is
present, then addresses contained in it are _not_ listed. If both files
are present, then both sets of restrictions apply. Further, even if an
address is listed in NetInfo, it is not advertised unless it also appears
on an interface or is prefixed by 'F'.
-- Jeff