[OpenAFS-devel] 1.4.8 has (re) introduced IP address ACL
problems?
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 11 Dec 2008 11:27:57 -0500
--On Wednesday, December 10, 2008 08:34:29 AM -0500 Derrick Brashear
<shadow@gmail.com> wrote:
> On Wed, Dec 10, 2008 at 7:30 AM, Felix Frank <Felix.Frank@desy.de> wrote:
>
>> So I should only have a NetInfo file (as I currently do)?
>>>
>>> That being the case, why would the IP address ACLs stop working after a
>>> period of time, and required the AFS client to be restarted?
>>>
>>
>> You could probably use tcpdump to determine wether interfaces other than
>> the ACL'ed NIC are being used by the client. (No, it's not limited to
>> TCP.)
>>
>
> Since without a bound socket, the kernel may transmit your packets from
> any interface and not just the one whose IP address you permit, it's
> pretty likely that eventually packets will come from the wrong place.
> Hence the -rxbind suggestion.
Furthermore, the fileserver bases its access control decisions on the
address that you actually used, never on one you advertise. The fileserver
caches the result of this lookup, so changing source addresses will not
immediately result in a change in access rights, but since the cache is
refreshed periodically, it can result in a change later.
If you have a multi-homed machine and want to be sure you are getting the
access rights you intend, you need to either put all of the machine's
addresses on the ACL, or insure that all requests sent to the fileserver
come from the address you intended. rxbind is one way to accomplish the
latter.
-- Jeff