[OpenAFS-devel] 1.4.8 has (re) introduced IP address ACL problems?

Derrick Brashear shadow@gmail.com
Wed, 10 Dec 2008 08:34:29 -0500


------=_Part_59570_3663250.1228916069908
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Wed, Dec 10, 2008 at 7:30 AM, Felix Frank <Felix.Frank@desy.de> wrote:

> So I should only have a NetInfo file (as I currently do)?
>>
>> That being the case, why would the IP address ACLs stop working after a
>> period of time, and required the AFS client to be restarted?
>>
>
> You could probably use tcpdump to determine wether interfaces other than
> the ACL'ed NIC are being used by the client. (No, it's not limited to
> TCP.)
>

Since without a bound socket, the kernel may transmit your packets from any
interface and not just the one whose IP address you permit, it's pretty
likely that eventually packets will come from the wrong place. Hence the
-rxbind suggestion.

------=_Part_59570_3663250.1228916069908
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br><br><div class="gmail_quote">On Wed, Dec 10, 2008 at 7:30 AM, Felix Frank <span dir="ltr">&lt;<a href="mailto:Felix.Frank@desy.de">Felix.Frank@desy.de</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
So I should only have a NetInfo file (as I currently do)?<br>
<br>
That being the case, why would the IP address ACLs stop working after a<br>
period of time, and required the AFS client to be restarted?<br>
</blockquote>
<br></div>
You could probably use tcpdump to determine wether interfaces other than<br>
the ACL&#39;ed NIC are being used by the client. (No, it&#39;s not limited to<br>
TCP.)<br>
</blockquote><div><br>Since without a bound socket, the kernel may transmit your packets from any interface and not just the one whose IP address you permit, it&#39;s pretty likely that eventually packets will come from the wrong place. Hence the -rxbind suggestion.<br>
<br></div></div><br>

------=_Part_59570_3663250.1228916069908--