[OpenAFS-devel] 1.4.8 has (re) introduced IP address ACL problems?

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 11 Dec 2008 10:35:08 -0500 

--On Wednesday, December 10, 2008 08:32:07 PM -0500 Jason Edgecombe 
<jason@rampaginggeek.com> wrote:

> Jeffrey Hutzelman wrote:
>> --On Monday, December 08, 2008 10:47:42 PM -0500 Jeffrey Altman
>> <jaltman@secure-endpoints.com> wrote:
>>
>>> Deon George wrote:
>>>> The server has many NIC's - and thus each NIC has its own address (and
>>>> subnet). (Each NIC only has 1 address).
>>>>
>>>> Thus, I have limited the address that openafs uses using a NetInfo file
>>>> (in /usr/afs/local and in /usr/vice/etc).
>>>>
>>>> [root@penguin local]# cat /usr/afs/local/NetInfo
>>>> 10.1.3.1
>>>> [root@penguin local]# cat /usr/vice/etc/NetInfo
>>>> 10.1.3.1
>>>>
>>>> ...deon
>>>
>>> The NetRestrict file would remove unwanted addresses.  The NetInfo
>>> file adds addresses that otherwise would be unknown.
>>>
>>> See the man pages.  http://www.openafs.org/manpages/
>>
>> That man page does not agree with my recollection of how the software
>> actually works.  Since I just checked the code and my recollection
>> agrees with the code, the man page is wrong.
>>
>> The NetInfo file restricts the set of interfaces that can be used, and
>> has the behavior Deon expects.  If a NetInfo file is present, then
>> only addresses listed in it are advertised, period.  If a NetRestrict
>> file is present, then addresses contained in it are _not_ listed.  If
>> both files are present, then both sets of restrictions apply.
>> Further, even if an address is listed in NetInfo, it is not advertised
>> unless it also appears on an interface or is prefixed by 'F'.
> Does the man page need to be corrected, and if so, what needs to be
> changed?

I think the man page needs to be corrected to say what I said, and the 
NetRestrict page may need a similar update.  I'll give an alternate 
explanation; feel free to use any text you want from either...

When any of the components that uses these starts, it collects a list of 
network interfaces from the OS.  If the NetInfo file exists, any addresses 
not listed there are removed, and any addresses prefixed with an 'F' are 
added, even if there is no interface with that address.  Then, if the 
NetRestrict file exists, any addresses listed there are removed.  The 
resulting list is used for the addresses the CM advertises to fileservers, 
or the address the FS registers in the VLDB, or the addresses a Ubik server 
advertises to its peers.


-- Jeff