* nonlocal_bind and IPv6 @ 2011-12-12 13:18 Vincent Bernat 2011-12-12 13:18 ` [PATCH] net: add ip_nonlocal_bind sysctl for IPv6 Vincent Bernat 0 siblings, 1 reply; 13+ messages in thread From: Vincent Bernat @ 2011-12-12 13:18 UTC (permalink / raw) To: netdev; +Cc: davem Hi! It is possible with IPv4 to set net.ipv4.ip_nonlocal_bind to 1 and to bind to non local addresses. This patch adds the same possibility for IPv6. Since the IPv4 version is not constrained to a network namespace, I have followed the same approach for the IPv6 version. ^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH] net: add ip_nonlocal_bind sysctl for IPv6 2011-12-12 13:18 nonlocal_bind and IPv6 Vincent Bernat @ 2011-12-12 13:18 ` Vincent Bernat 0 siblings, 0 replies; 13+ messages in thread From: Vincent Bernat @ 2011-12-12 13:18 UTC (permalink / raw) To: netdev; +Cc: davem, Vincent Bernat net.ipv4.ip_nonlocal_bind sysctl allows applications to bind to non local IPv4 addresses (for example, dynamic addresses that do not exist yet). This modification introduces net.ipv6.ip_nonlocal_bind which has the same effect for IPv6. Signed-off-by: Vincent Bernat <bernat@luffy.cx> --- Documentation/networking/ip-sysctl.txt | 5 +++++ include/net/ipv6.h | 1 + net/ipv6/af_inet6.c | 6 +++++- net/ipv6/sysctl_net_ipv6.c | 7 +++++++ 4 files changed, 18 insertions(+), 1 deletions(-) diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ad3e80e..be8a80e 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1007,6 +1007,11 @@ bindv6only - BOOLEAN Default: FALSE (as specified in RFC3493) +ip_nonlocal_bind - BOOLEAN + If set, allows processes to bind() to non-local IP addresses, + which can be quite useful - but may break some applications. + Default: FALSE + IPv6 Fragmentation: ip6frag_high_thresh - INTEGER diff --git a/include/net/ipv6.h b/include/net/ipv6.h index e4170a2..393ea35 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -113,6 +113,7 @@ struct frag_hdr { /* sysctls */ extern int sysctl_mld_max_msf; +extern int sysctl_ip6_nonlocal_bind; extern struct ctl_path net_ipv6_ctl_path[]; #define _DEVINC(net, statname, modifier, idev, field) \ diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 7694c82..1d1ab9b 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -252,6 +252,9 @@ out_rcu_unlock: goto out; } +/* It is off by default, see below. */ +int sysctl_ip6_nonlocal_bind __read_mostly; +EXPORT_SYMBOL(sysctl_ip6_nonlocal_bind); /* bind for INET6 API */ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) @@ -347,7 +350,8 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) */ v4addr = LOOPBACK4_IPV6; if (!(addr_type & IPV6_ADDR_MULTICAST)) { - if (!(inet->freebind || inet->transparent) && + if (!sysctl_ip6_nonlocal_bind && + !(inet->freebind || inet->transparent) && !ipv6_chk_addr(net, &addr->sin6_addr, dev, 0)) { err = -EADDRNOTAVAIL; diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c index 166a57c..e88e09e 100644 --- a/net/ipv6/sysctl_net_ipv6.c +++ b/net/ipv6/sysctl_net_ipv6.c @@ -48,6 +48,13 @@ static ctl_table ipv6_table_template[] = { .mode = 0644, .proc_handler = proc_dointvec }, + { + .procname = "ip_nonlocal_bind", + .data = &sysctl_ip6_nonlocal_bind, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec + }, { } }; -- 1.7.7.3 ^ permalink raw reply related [flat|nested] 13+ messages in thread
* nonlocal_bind and IPv6 @ 2011-12-14 16:20 Vincent Bernat 2011-12-16 3:58 ` Maciej Żenczykowski 2011-12-16 6:46 ` YOSHIFUJI Hideaki 0 siblings, 2 replies; 13+ messages in thread From: Vincent Bernat @ 2011-12-14 16:20 UTC (permalink / raw) To: netdev; +Cc: davem, yoshfuji This is a second tentative to port ip_nonlocal_bind to IPv6. The two patches are independant. The first patch enables net.ipv6.ip_nonlocal_bind and is "namespace aware". The second patch modifies net.ipv4.ip_nonlocal_bind to also be "namespace aware". I don't know if this is something important. I did not test the SCTP part of the second patch (but it compiles). Documentation/networking/ip-sysctl.txt | 5 +++++ include/net/netns/ipv4.h | 1 + include/net/netns/ipv6.h | 1 + net/ipv4/af_inet.c | 6 +----- net/ipv4/ping.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 16 +++++++++------- net/ipv6/af_inet6.c | 6 ++++-- net/ipv6/sysctl_net_ipv6.c | 8 ++++++++ net/sctp/protocol.c | 2 +- 9 files changed, 31 insertions(+), 16 deletions(-) ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat @ 2011-12-16 3:58 ` Maciej Żenczykowski 2011-12-16 6:24 ` Vincent Bernat 2011-12-16 6:46 ` YOSHIFUJI Hideaki 1 sibling, 1 reply; 13+ messages in thread From: Maciej Żenczykowski @ 2011-12-16 3:58 UTC (permalink / raw) To: Vincent Bernat; +Cc: netdev, davem, yoshfuji why not simply use the IP_TRANSPARENT or IP_FREEBIND socket options? On Wed, Dec 14, 2011 at 08:20, Vincent Bernat <bernat@luffy.cx> wrote: > This is a second tentative to port ip_nonlocal_bind to IPv6. The two > patches are independant. The first patch enables > net.ipv6.ip_nonlocal_bind and is "namespace aware". The second patch > modifies net.ipv4.ip_nonlocal_bind to also be "namespace aware". I > don't know if this is something important. > > I did not test the SCTP part of the second patch (but it compiles). > > Documentation/networking/ip-sysctl.txt | 5 +++++ > include/net/netns/ipv4.h | 1 + > include/net/netns/ipv6.h | 1 + > net/ipv4/af_inet.c | 6 +----- > net/ipv4/ping.c | 2 +- > net/ipv4/sysctl_net_ipv4.c | 16 +++++++++------- > net/ipv6/af_inet6.c | 6 ++++-- > net/ipv6/sysctl_net_ipv6.c | 8 ++++++++ > net/sctp/protocol.c | 2 +- > 9 files changed, 31 insertions(+), 16 deletions(-) > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 3:58 ` Maciej Żenczykowski @ 2011-12-16 6:24 ` Vincent Bernat 2011-12-16 7:06 ` David Miller 0 siblings, 1 reply; 13+ messages in thread From: Vincent Bernat @ 2011-12-16 6:24 UTC (permalink / raw) To: Maciej Żenczykowski; +Cc: netdev, davem, yoshfuji OoO En ce milieu de nuit étoilée du vendredi 16 décembre 2011, vers 04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait : > why not simply use the IP_TRANSPARENT or IP_FREEBIND socket options? Because this requires modifying each affected software. This can be difficult if you don't have the source code available. -- Vincent Bernat ☯ http://vincent.bernat.im panic("Detected a card I can't drive - whoops\n"); 2.2.16 /usr/src/linux/drivers/net/daynaport.c ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 6:24 ` Vincent Bernat @ 2011-12-16 7:06 ` David Miller 2011-12-16 9:53 ` Vincent Bernat 0 siblings, 1 reply; 13+ messages in thread From: David Miller @ 2011-12-16 7:06 UTC (permalink / raw) To: bernat; +Cc: zenczykowski, netdev, yoshfuji From: Vincent Bernat <bernat@luffy.cx> Date: Fri, 16 Dec 2011 07:24:04 +0100 > OoO En ce milieu de nuit étoilée du vendredi 16 décembre 2011, vers > 04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait : > >> why not simply use the IP_TRANSPARENT or IP_FREEBIND socket options? > > Because this requires modifying each affected software. This can be > difficult if you don't have the source code available. But it means that it would work on every single kernel verion out there. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 7:06 ` David Miller @ 2011-12-16 9:53 ` Vincent Bernat 2011-12-16 11:10 ` Francois Romieu 2011-12-16 18:18 ` David Miller 0 siblings, 2 replies; 13+ messages in thread From: Vincent Bernat @ 2011-12-16 9:53 UTC (permalink / raw) To: David Miller; +Cc: zenczykowski, netdev, yoshfuji On Fri, 16 Dec 2011 02:06:00 -0500 (EST), David Miller wrote: >> OoO En ce milieu de nuit étoilée du vendredi 16 décembre 2011, >> vers >> 04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait : >> >>> why not simply use the IP_TRANSPARENT or IP_FREEBIND socket >>> options? >> >> Because this requires modifying each affected software. This >> can be >> difficult if you don't have the source code available. > > But it means that it would work on every single kernel verion out > there. Sure. But... The typical scenario for this setting is when you are using something like VRRP. You have your web server running on several nodes and only one of them has the appropriate IP address at the given moment. Moreover, you have to bind to specific IP and not 0.0.0.0 for other reasons (for example, when using several SSL virtualhosts). Starting the web server only when a node gets the appropriate IP is not possible because it increases downtime. Since this VRRP stuff is related to system configuration, it seems sensible to have a system setting equivalent to IP_FREEBIND socket options. This is ip_nonlocal_bind. Moreover, I am just adding the IPv6 version of this setting. The IPv4 version already exists. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 9:53 ` Vincent Bernat @ 2011-12-16 11:10 ` Francois Romieu 2011-12-16 18:20 ` David Miller 2011-12-16 18:18 ` David Miller 1 sibling, 1 reply; 13+ messages in thread From: Francois Romieu @ 2011-12-16 11:10 UTC (permalink / raw) To: Vincent Bernat; +Cc: David Miller, zenczykowski, netdev, yoshfuji Vincent Bernat <bernat@luffy.cx> : > On Fri, 16 Dec 2011 02:06:00 -0500 (EST), David Miller wrote: > >>04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait : [...] > >>>why not simply use the IP_TRANSPARENT or IP_FREEBIND socket > >>>options? > >> > >>Because this requires modifying each affected software. This > >>can be difficult if you don't have the source code available. > > > >But it means that it would work on every single kernel verion out > >there. [...] > Moreover, I am just adding the IPv6 version of this setting. The > IPv4 version already exists. For IPv6 this is adding a system-scope function which will have to be maintained and available for ages. It will compete with the existing, per-application answer. The "fix you application / design" argument is thus stronger than with IPv4. -- Ueimor ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 11:10 ` Francois Romieu @ 2011-12-16 18:20 ` David Miller 0 siblings, 0 replies; 13+ messages in thread From: David Miller @ 2011-12-16 18:20 UTC (permalink / raw) To: romieu; +Cc: bernat, zenczykowski, netdev, yoshfuji From: Francois Romieu <romieu@fr.zoreil.com> Date: Fri, 16 Dec 2011 12:10:27 +0100 > Vincent Bernat <bernat@luffy.cx> : >> On Fri, 16 Dec 2011 02:06:00 -0500 (EST), David Miller wrote: >> >>04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait : > [...] >> >>>why not simply use the IP_TRANSPARENT or IP_FREEBIND socket >> >>>options? >> >> >> >>Because this requires modifying each affected software. This >> >>can be difficult if you don't have the source code available. >> > >> >But it means that it would work on every single kernel verion out >> >there. > [...] >> Moreover, I am just adding the IPv6 version of this setting. The >> IPv4 version already exists. > > For IPv6 this is adding a system-scope function which will have to be > maintained and available for ages. It will compete with the existing, > per-application answer. The "fix you application / design" argument > is thus stronger than with IPv4. Another excellent point. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 9:53 ` Vincent Bernat 2011-12-16 11:10 ` Francois Romieu @ 2011-12-16 18:18 ` David Miller 2011-12-17 10:52 ` Vincent Bernat 1 sibling, 1 reply; 13+ messages in thread From: David Miller @ 2011-12-16 18:18 UTC (permalink / raw) To: bernat; +Cc: zenczykowski, netdev, yoshfuji From: Vincent Bernat <bernat@luffy.cx> Date: Fri, 16 Dec 2011 10:53:48 +0100 > Moreover, I am just adding the IPv6 version of this setting. The IPv4 > version already exists. I don't think the ipv4 feature was a wise thing to add, so just because ipv4 has something doesn't automatically make it appropriate to support it in ipv6 too. So please don't use arguments like that. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 18:18 ` David Miller @ 2011-12-17 10:52 ` Vincent Bernat 0 siblings, 0 replies; 13+ messages in thread From: Vincent Bernat @ 2011-12-17 10:52 UTC (permalink / raw) To: David Miller; +Cc: zenczykowski, netdev, yoshfuji OoO Pendant le repas du vendredi 16 décembre 2011, vers 19:18, David Miller <davem@davemloft.net> disait : >> Moreover, I am just adding the IPv6 version of this setting. The IPv4 >> version already exists. > I don't think the ipv4 feature was a wise thing to add, so just because > ipv4 has something doesn't automatically make it appropriate to support > it in ipv6 too. So please don't use arguments like that. Here are my arguments against using IP_FREEBIND: 1. It needs to be applied to all services, this will take years. All services will need an option just for that (because usually a user does not want to be able to bind to a non local IP). We could use some hacks with LD_PRELOAD, but that's just an hack. 2. This option may just be unavailable because it is too low-level. For example, it is not available in Python socket implementation (but I can still hardcode the numerical value). If I use some web framework, I will also have hard time to set this option. 3. This is a Linux only option. Here are the arguments for a sysctl: 1. It is a system-wide configuration: you configure VRRP on your system, you enable this sysctl, nothing else to do. 2. This is essentially a one-line modification. This will be quite easy to maintain for years. 3. This is the natural option for many people. See for example: http://thread.gmane.org/gmane.comp.web.haproxy/7317/focus=7318 4. Without it, people just do horrible things: http://thread.gmane.org/gmane.comp.web.haproxy/7317/focus=7321 Did I convince you? -- Vincent Bernat ☯ http://vincent.bernat.im /* * We used to try various strange things. Let's not. */ 2.2.16 /usr/src/linux/fs/buffer.c ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat 2011-12-16 3:58 ` Maciej Żenczykowski @ 2011-12-16 6:46 ` YOSHIFUJI Hideaki 2011-12-16 9:46 ` Vincent Bernat 1 sibling, 1 reply; 13+ messages in thread From: YOSHIFUJI Hideaki @ 2011-12-16 6:46 UTC (permalink / raw) To: Vincent Bernat; +Cc: netdev, davem, YOSHIFUJI Hideaki Have you tried to send packets from the application on node with local_bind enabled (without the address the application binds)? Vincent Bernat wrote: > This is a second tentative to port ip_nonlocal_bind to IPv6. The two > patches are independant. The first patch enables > net.ipv6.ip_nonlocal_bind and is "namespace aware". The second patch > modifies net.ipv4.ip_nonlocal_bind to also be "namespace aware". I > don't know if this is something important. > > I did not test the SCTP part of the second patch (but it compiles). > > Documentation/networking/ip-sysctl.txt | 5 +++++ > include/net/netns/ipv4.h | 1 + > include/net/netns/ipv6.h | 1 + > net/ipv4/af_inet.c | 6 +----- > net/ipv4/ping.c | 2 +- > net/ipv4/sysctl_net_ipv4.c | 16 +++++++++------- > net/ipv6/af_inet6.c | 6 ++++-- > net/ipv6/sysctl_net_ipv6.c | 8 ++++++++ > net/sctp/protocol.c | 2 +- > 9 files changed, 31 insertions(+), 16 deletions(-) > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: nonlocal_bind and IPv6 2011-12-16 6:46 ` YOSHIFUJI Hideaki @ 2011-12-16 9:46 ` Vincent Bernat 0 siblings, 0 replies; 13+ messages in thread From: Vincent Bernat @ 2011-12-16 9:46 UTC (permalink / raw) To: YOSHIFUJI Hideaki; +Cc: netdev, davem On Fri, 16 Dec 2011 15:46:34 +0900, YOSHIFUJI Hideaki wrote: > Have you tried to send packets from the application on node with > local_bind enabled (without the address the application binds)? No, I did not see any logic to handle this with IPv4. I will test it and come back. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2011-12-17 10:52 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-12-12 13:18 nonlocal_bind and IPv6 Vincent Bernat 2011-12-12 13:18 ` [PATCH] net: add ip_nonlocal_bind sysctl for IPv6 Vincent Bernat 2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat 2011-12-16 3:58 ` Maciej Żenczykowski 2011-12-16 6:24 ` Vincent Bernat 2011-12-16 7:06 ` David Miller 2011-12-16 9:53 ` Vincent Bernat 2011-12-16 11:10 ` Francois Romieu 2011-12-16 18:20 ` David Miller 2011-12-16 18:18 ` David Miller 2011-12-17 10:52 ` Vincent Bernat 2011-12-16 6:46 ` YOSHIFUJI Hideaki 2011-12-16 9:46 ` Vincent Bernat
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.