[OpenAFS] NetRestrict'd interfaces still talk to AFS (Linux)

Derrick J Brashear shadow@dementia.org
Mon, 28 Jun 2004 16:07:57 -0400 (EDT)


On Mon, 28 Jun 2004, Lin Osborne wrote:

> 15:14:17.919232 restricted-IP.afs3-callback > our-fileserver.afs3-fileserver:
> rx data fs call fetch-status fid 537307550/10054/8232 (44) (DF)
> 15:14:17.919656 our-fileserver.afs3-fileserver > restricted-IP.afs3-callback:
> rx data cb call whoareyou (32) (DF)
> 15:14:17.919783 restricted-IP.afs3-callback > our-fileserver.afs3-fileserver:
> rx data cb reply whoareyou (460) (DF)
> 15:14:17.920681 our-fileserver.afs3-fileserver > restricted-IP.afs3-callback:
> rx data fs reply fetch-status (148) (DF)

NetInfo doesn't preclude traffic from using the other interface, only from
callback connections using it (basically). If you want the client to bind
to an interface I have a patch (a hack, really) that does it. In reality
Rx should provide an interface to pass in a list of IP:port to bind to.
But that's a large API change.

I'd guess the difference is in the IP stack of the different kernel
versions.

> My questions are:
> 1) Why is the client losing access?

I don't know. Possibly due to 2.

> 2) Why does NetInfo/NetRestrict not limit AFS conversation to the allowed IP?

See above.

> 3) What can I do to solve 1) and 2)?

I'll find the patch.