All of lore.kernel.org
 help / color / mirror / Atom feed
* nonlocal_bind and IPv6
@ 2011-12-14 16:20 Vincent Bernat
  2011-12-14 16:20 ` [PATCH 1/2] net/ipv6: add ip_nonlocal_bind sysctl for IPv6 Vincent Bernat
                   ` (3 more replies)
  0 siblings, 4 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-14 16:20 UTC (permalink / raw)
  To: netdev; +Cc: davem, yoshfuji

This is a second tentative to port ip_nonlocal_bind to IPv6. The two
patches are independant. The first patch enables
net.ipv6.ip_nonlocal_bind and is "namespace aware". The second patch
modifies net.ipv4.ip_nonlocal_bind to also be "namespace aware". I
don't know if this is something important.

I did not test the SCTP part of the second patch (but it compiles).

 Documentation/networking/ip-sysctl.txt |    5 +++++
 include/net/netns/ipv4.h               |    1 +
 include/net/netns/ipv6.h               |    1 +
 net/ipv4/af_inet.c                     |    6 +-----
 net/ipv4/ping.c                        |    2 +-
 net/ipv4/sysctl_net_ipv4.c             |   16 +++++++++-------
 net/ipv6/af_inet6.c                    |    6 ++++--
 net/ipv6/sysctl_net_ipv6.c             |    8 ++++++++
 net/sctp/protocol.c                    |    2 +-
 9 files changed, 31 insertions(+), 16 deletions(-)

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH 1/2] net/ipv6: add ip_nonlocal_bind sysctl for IPv6
  2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat
@ 2011-12-14 16:20 ` Vincent Bernat
  2011-12-14 16:20 ` [PATCH 2/2] net/ipv4: bind ip_nonlocal_bind to current netns Vincent Bernat
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-14 16:20 UTC (permalink / raw)
  To: netdev; +Cc: davem, yoshfuji, Vincent Bernat

net.ipv4.ip_nonlocal_bind sysctl allows applications to bind to non
local IPv4 addresses (for example, dynamic addresses that do not exist
yet). This modification introduces net.ipv6.ip_nonlocal_bind which has
the same effect for IPv6.

However, contrary to net.ipv4.ip_nonlocal_bind, this settings is bound
to the current namespace.

Signed-off-by: Vincent Bernat <bernat@luffy.cx>
---
 Documentation/networking/ip-sysctl.txt |    5 +++++
 include/net/netns/ipv6.h               |    1 +
 net/ipv6/af_inet6.c                    |    4 +++-
 net/ipv6/sysctl_net_ipv6.c             |    8 ++++++++
 4 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ad3e80e..be8a80e 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1007,6 +1007,11 @@ bindv6only - BOOLEAN
 
 	Default: FALSE (as specified in RFC3493)
 
+ip_nonlocal_bind - BOOLEAN
+	If set, allows processes to bind() to non-local IP addresses,
+	which can be quite useful - but may break some applications.
+	Default: FALSE
+
 IPv6 Fragmentation:
 
 ip6frag_high_thresh - INTEGER
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 81abfcb..f9326cc 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -16,6 +16,7 @@ struct netns_sysctl_ipv6 {
 	struct ctl_table_header *frags_hdr;
 #endif
 	int bindv6only;
+	int ip6_nonlocal_bind;
 	int flush_delay;
 	int ip6_rt_max_size;
 	int ip6_rt_gc_min_interval;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 273f48d..27c32f387 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -347,7 +347,8 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 			 */
 			v4addr = LOOPBACK4_IPV6;
 			if (!(addr_type & IPV6_ADDR_MULTICAST))	{
-				if (!(inet->freebind || inet->transparent) &&
+				if (!net->ipv6.sysctl.ip6_nonlocal_bind &&
+				    !(inet->freebind || inet->transparent) &&
 				    !ipv6_chk_addr(net, &addr->sin6_addr,
 						   dev, 0)) {
 					err = -EADDRNOTAVAIL;
@@ -1017,6 +1018,7 @@ static int __net_init inet6_net_init(struct net *net)
 	int err = 0;
 
 	net->ipv6.sysctl.bindv6only = 0;
+	net->ipv6.sysctl.ip6_nonlocal_bind = 0;
 	net->ipv6.sysctl.icmpv6_time = 1*HZ;
 
 	err = ipv6_init_mibs(net);
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index 166a57c..42f0cf0 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -48,6 +48,13 @@ static ctl_table ipv6_table_template[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "ip_nonlocal_bind",
+		.data		= &init_net.ipv6.sysctl.ip6_nonlocal_bind,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{ }
 };
 
@@ -93,6 +100,7 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
 	ipv6_table[1].child = ipv6_icmp_table;
 
 	ipv6_table[2].data = &net->ipv6.sysctl.bindv6only;
+	ipv6_table[3].data = &net->ipv6.sysctl.ip6_nonlocal_bind;
 
 	net->ipv6.sysctl.table = register_net_sysctl_table(net, net_ipv6_ctl_path,
 							   ipv6_table);
-- 
1.7.7.3

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [PATCH 2/2] net/ipv4: bind ip_nonlocal_bind to current netns
  2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat
  2011-12-14 16:20 ` [PATCH 1/2] net/ipv6: add ip_nonlocal_bind sysctl for IPv6 Vincent Bernat
@ 2011-12-14 16:20 ` Vincent Bernat
  2011-12-16  3:58 ` nonlocal_bind and IPv6 Maciej Żenczykowski
  2011-12-16  6:46 ` YOSHIFUJI Hideaki
  3 siblings, 0 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-14 16:20 UTC (permalink / raw)
  To: netdev; +Cc: davem, yoshfuji, Vincent Bernat

net.ipv4.ip_nonlocal_bind sysctl was global to all network
namespaces. This patch allows to set a different value for each
network namespace.

Signed-off-by: Vincent Bernat <bernat@luffy.cx>
---
 include/net/netns/ipv4.h   |    1 +
 net/ipv4/af_inet.c         |    6 +-----
 net/ipv4/ping.c            |    2 +-
 net/ipv4/sysctl_net_ipv4.c |   16 +++++++++-------
 net/ipv6/af_inet6.c        |    2 +-
 net/sctp/protocol.c        |    2 +-
 6 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index bbd023a..ad8587c 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -51,6 +51,7 @@ struct netns_ipv4 {
 	int sysctl_icmp_ratelimit;
 	int sysctl_icmp_ratemask;
 	int sysctl_icmp_errors_use_inbound_ifaddr;
+	int sysctl_ip_nonlocal_bind;
 	int sysctl_rt_cache_rebuild_count;
 	int current_rt_cache_rebuild_count;
 
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index f7b5670..4fe4a7b 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -443,10 +443,6 @@ int inet_release(struct socket *sock)
 }
 EXPORT_SYMBOL(inet_release);
 
-/* It is off by default, see below. */
-int sysctl_ip_nonlocal_bind __read_mostly;
-EXPORT_SYMBOL(sysctl_ip_nonlocal_bind);
-
 int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
 	struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;
@@ -485,7 +481,7 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 	 *  is temporarily down)
 	 */
 	err = -EADDRNOTAVAIL;
-	if (!sysctl_ip_nonlocal_bind &&
+	if (!sock_net(sk)->ipv4.sysctl_ip_nonlocal_bind &&
 	    !(inet->freebind || inet->transparent) &&
 	    addr->sin_addr.s_addr != htonl(INADDR_ANY) &&
 	    chk_addr_ret != RTN_LOCAL &&
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 43d4c3b..01cf59d 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -257,7 +257,7 @@ static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 	if (addr->sin_addr.s_addr == INADDR_ANY)
 		chk_addr_ret = RTN_LOCAL;
 
-	if ((sysctl_ip_nonlocal_bind == 0 &&
+	if ((sock_net(sk)->ipv4.sysctl_ip_nonlocal_bind == 0 &&
 	    isk->freebind == 0 && isk->transparent == 0 &&
 	     chk_addr_ret != RTN_LOCAL) ||
 	    chk_addr_ret == RTN_MULTICAST ||
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index fe9bf91..15e4534 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -265,13 +265,6 @@ static struct ctl_table ipv4_table[] = {
 		.proc_handler	= proc_dointvec
 	},
 	{
-		.procname	= "ip_nonlocal_bind",
-		.data		= &sysctl_ip_nonlocal_bind,
-		.maxlen		= sizeof(int),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec
-	},
-	{
 		.procname	= "tcp_syn_retries",
 		.data		= &sysctl_tcp_syn_retries,
 		.maxlen		= sizeof(int),
@@ -765,6 +758,13 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= ipv4_tcp_mem,
 	},
+	{
+		.procname	= "ip_nonlocal_bind",
+		.data		= &init_net.ipv4.sysctl_ip_nonlocal_bind,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{ }
 };
 
@@ -802,6 +802,8 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
 			&net->ipv4.sysctl_rt_cache_rebuild_count;
 		table[7].data =
 			&net->ipv4.sysctl_ping_group_range;
+		table[9].data =
+			&net->ipv4.sysctl_ip_nonlocal_bind;
 
 	}
 
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 27c32f387..76b970d 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -307,7 +307,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 		/* Reproduce AF_INET checks to make the bindings consistent */
 		v4addr = addr->sin6_addr.s6_addr32[3];
 		chk_addr_ret = inet_addr_type(net, v4addr);
-		if (!sysctl_ip_nonlocal_bind &&
+		if (!net->ipv4.sysctl_ip_nonlocal_bind &&
 		    !(inet->freebind || inet->transparent) &&
 		    v4addr != htonl(INADDR_ANY) &&
 		    chk_addr_ret != RTN_LOCAL &&
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 544a9b6..8c9c6bf 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -403,7 +403,7 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp)
 	if (addr->v4.sin_addr.s_addr != htonl(INADDR_ANY) &&
 	   ret != RTN_LOCAL &&
 	   !sp->inet.freebind &&
-	   !sysctl_ip_nonlocal_bind)
+	    !sock_net(sctp_opt2sk(sp))->ipv4.sysctl_ip_nonlocal_bind)
 		return 0;
 
 	if (ipv6_only_sock(sctp_opt2sk(sp)))
-- 
1.7.7.3

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat
  2011-12-14 16:20 ` [PATCH 1/2] net/ipv6: add ip_nonlocal_bind sysctl for IPv6 Vincent Bernat
  2011-12-14 16:20 ` [PATCH 2/2] net/ipv4: bind ip_nonlocal_bind to current netns Vincent Bernat
@ 2011-12-16  3:58 ` Maciej Żenczykowski
  2011-12-16  6:24   ` Vincent Bernat
  2011-12-16  6:46 ` YOSHIFUJI Hideaki
  3 siblings, 1 reply; 14+ messages in thread
From: Maciej Żenczykowski @ 2011-12-16  3:58 UTC (permalink / raw)
  To: Vincent Bernat; +Cc: netdev, davem, yoshfuji

why not simply use the IP_TRANSPARENT or IP_FREEBIND socket options?

On Wed, Dec 14, 2011 at 08:20, Vincent Bernat <bernat@luffy.cx> wrote:
> This is a second tentative to port ip_nonlocal_bind to IPv6. The two
> patches are independant. The first patch enables
> net.ipv6.ip_nonlocal_bind and is "namespace aware". The second patch
> modifies net.ipv4.ip_nonlocal_bind to also be "namespace aware". I
> don't know if this is something important.
>
> I did not test the SCTP part of the second patch (but it compiles).
>
>  Documentation/networking/ip-sysctl.txt |    5 +++++
>  include/net/netns/ipv4.h               |    1 +
>  include/net/netns/ipv6.h               |    1 +
>  net/ipv4/af_inet.c                     |    6 +-----
>  net/ipv4/ping.c                        |    2 +-
>  net/ipv4/sysctl_net_ipv4.c             |   16 +++++++++-------
>  net/ipv6/af_inet6.c                    |    6 ++++--
>  net/ipv6/sysctl_net_ipv6.c             |    8 ++++++++
>  net/sctp/protocol.c                    |    2 +-
>  9 files changed, 31 insertions(+), 16 deletions(-)
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16  3:58 ` nonlocal_bind and IPv6 Maciej Żenczykowski
@ 2011-12-16  6:24   ` Vincent Bernat
  2011-12-16  7:06     ` David Miller
  0 siblings, 1 reply; 14+ messages in thread
From: Vincent Bernat @ 2011-12-16  6:24 UTC (permalink / raw)
  To: Maciej Żenczykowski; +Cc: netdev, davem, yoshfuji

OoO En  ce milieu  de nuit  étoilée du vendredi  16 décembre  2011, vers
04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait :

> why not simply use the IP_TRANSPARENT or IP_FREEBIND socket options?

Because  this requires  modifying each  affected software.  This  can be
difficult if you don't have the source code available.
-- 
Vincent Bernat ☯ http://vincent.bernat.im

panic("Detected a card I can't drive - whoops\n");
	2.2.16 /usr/src/linux/drivers/net/daynaport.c

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat
                   ` (2 preceding siblings ...)
  2011-12-16  3:58 ` nonlocal_bind and IPv6 Maciej Żenczykowski
@ 2011-12-16  6:46 ` YOSHIFUJI Hideaki
  2011-12-16  9:46   ` Vincent Bernat
  3 siblings, 1 reply; 14+ messages in thread
From: YOSHIFUJI Hideaki @ 2011-12-16  6:46 UTC (permalink / raw)
  To: Vincent Bernat; +Cc: netdev, davem, YOSHIFUJI Hideaki

Have you tried to send packets from the application on node with
local_bind enabled (without the address the application binds)?

Vincent Bernat wrote:
> This is a second tentative to port ip_nonlocal_bind to IPv6. The two
> patches are independant. The first patch enables
> net.ipv6.ip_nonlocal_bind and is "namespace aware". The second patch
> modifies net.ipv4.ip_nonlocal_bind to also be "namespace aware". I
> don't know if this is something important.
> 
> I did not test the SCTP part of the second patch (but it compiles).
> 
>   Documentation/networking/ip-sysctl.txt |    5 +++++
>   include/net/netns/ipv4.h               |    1 +
>   include/net/netns/ipv6.h               |    1 +
>   net/ipv4/af_inet.c                     |    6 +-----
>   net/ipv4/ping.c                        |    2 +-
>   net/ipv4/sysctl_net_ipv4.c             |   16 +++++++++-------
>   net/ipv6/af_inet6.c                    |    6 ++++--
>   net/ipv6/sysctl_net_ipv6.c             |    8 ++++++++
>   net/sctp/protocol.c                    |    2 +-
>   9 files changed, 31 insertions(+), 16 deletions(-)
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16  6:24   ` Vincent Bernat
@ 2011-12-16  7:06     ` David Miller
  2011-12-16  9:53       ` Vincent Bernat
  0 siblings, 1 reply; 14+ messages in thread
From: David Miller @ 2011-12-16  7:06 UTC (permalink / raw)
  To: bernat; +Cc: zenczykowski, netdev, yoshfuji

From: Vincent Bernat <bernat@luffy.cx>
Date: Fri, 16 Dec 2011 07:24:04 +0100

> OoO En  ce milieu  de nuit  étoilée du vendredi  16 décembre  2011, vers
> 04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait :
> 
>> why not simply use the IP_TRANSPARENT or IP_FREEBIND socket options?
> 
> Because  this requires  modifying each  affected software.  This  can be
> difficult if you don't have the source code available.

But it means that it would work on every single kernel verion out
there.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16  6:46 ` YOSHIFUJI Hideaki
@ 2011-12-16  9:46   ` Vincent Bernat
  0 siblings, 0 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-16  9:46 UTC (permalink / raw)
  To: YOSHIFUJI Hideaki; +Cc: netdev, davem

On Fri, 16 Dec 2011 15:46:34 +0900, YOSHIFUJI Hideaki wrote:
> Have you tried to send packets from the application on node with
> local_bind enabled (without the address the application binds)?

No, I did not see any logic to handle this with IPv4. I will test it 
and come back.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16  7:06     ` David Miller
@ 2011-12-16  9:53       ` Vincent Bernat
  2011-12-16 11:10         ` Francois Romieu
  2011-12-16 18:18         ` David Miller
  0 siblings, 2 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-16  9:53 UTC (permalink / raw)
  To: David Miller; +Cc: zenczykowski, netdev, yoshfuji

On Fri, 16 Dec 2011 02:06:00 -0500 (EST), David Miller wrote:

>> OoO En  ce milieu  de nuit  étoilée du vendredi  16 décembre  2011, 
>> vers
>> 04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait :
>>
>>> why not simply use the IP_TRANSPARENT or IP_FREEBIND socket 
>>> options?
>>
>> Because  this requires  modifying each  affected software.  This  
>> can be
>> difficult if you don't have the source code available.
>
> But it means that it would work on every single kernel verion out
> there.

Sure. But... The typical scenario for this setting is when you are 
using something like VRRP. You have your web server running on several 
nodes and only one of them has the appropriate IP address at the given 
moment. Moreover, you have to bind to specific IP and not 0.0.0.0 for 
other reasons (for example, when using several SSL virtualhosts). 
Starting the web server only when a node gets the appropriate IP is not 
possible because it increases downtime. Since this VRRP stuff is related 
to system configuration, it seems sensible to have a system setting 
equivalent to IP_FREEBIND socket options. This is ip_nonlocal_bind.

Moreover, I am just adding the IPv6 version of this setting. The IPv4 
version already exists.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16  9:53       ` Vincent Bernat
@ 2011-12-16 11:10         ` Francois Romieu
  2011-12-16 18:20           ` David Miller
  2011-12-16 18:18         ` David Miller
  1 sibling, 1 reply; 14+ messages in thread
From: Francois Romieu @ 2011-12-16 11:10 UTC (permalink / raw)
  To: Vincent Bernat; +Cc: David Miller, zenczykowski, netdev, yoshfuji

Vincent Bernat <bernat@luffy.cx> :
> On Fri, 16 Dec 2011 02:06:00 -0500 (EST), David Miller wrote:
> >>04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait :
[...]
> >>>why not simply use the IP_TRANSPARENT or IP_FREEBIND socket
> >>>options?
> >>
> >>Because  this requires  modifying each  affected software.  This
> >>can be difficult if you don't have the source code available.
> >
> >But it means that it would work on every single kernel verion out
> >there.
[...]
> Moreover, I am just adding the IPv6 version of this setting. The
> IPv4 version already exists.

For IPv6 this is adding a system-scope function which will have to be
maintained and available for ages. It will compete with the existing,
per-application answer. The "fix you application / design" argument
is thus stronger than with IPv4.

-- 
Ueimor

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16  9:53       ` Vincent Bernat
  2011-12-16 11:10         ` Francois Romieu
@ 2011-12-16 18:18         ` David Miller
  2011-12-17 10:52           ` Vincent Bernat
  1 sibling, 1 reply; 14+ messages in thread
From: David Miller @ 2011-12-16 18:18 UTC (permalink / raw)
  To: bernat; +Cc: zenczykowski, netdev, yoshfuji

From: Vincent Bernat <bernat@luffy.cx>
Date: Fri, 16 Dec 2011 10:53:48 +0100

> Moreover, I am just adding the IPv6 version of this setting. The IPv4
> version already exists.

I don't think the ipv4 feature was a wise thing to add, so just because
ipv4 has something doesn't automatically make it appropriate to support
it in ipv6 too.  So please don't use arguments like that.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16 11:10         ` Francois Romieu
@ 2011-12-16 18:20           ` David Miller
  0 siblings, 0 replies; 14+ messages in thread
From: David Miller @ 2011-12-16 18:20 UTC (permalink / raw)
  To: romieu; +Cc: bernat, zenczykowski, netdev, yoshfuji

From: Francois Romieu <romieu@fr.zoreil.com>
Date: Fri, 16 Dec 2011 12:10:27 +0100

> Vincent Bernat <bernat@luffy.cx> :
>> On Fri, 16 Dec 2011 02:06:00 -0500 (EST), David Miller wrote:
>> >>04:58, Maciej Żenczykowski <zenczykowski@gmail.com> disait :
> [...]
>> >>>why not simply use the IP_TRANSPARENT or IP_FREEBIND socket
>> >>>options?
>> >>
>> >>Because  this requires  modifying each  affected software.  This
>> >>can be difficult if you don't have the source code available.
>> >
>> >But it means that it would work on every single kernel verion out
>> >there.
> [...]
>> Moreover, I am just adding the IPv6 version of this setting. The
>> IPv4 version already exists.
> 
> For IPv6 this is adding a system-scope function which will have to be
> maintained and available for ages. It will compete with the existing,
> per-application answer. The "fix you application / design" argument
> is thus stronger than with IPv4.

Another excellent point.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: nonlocal_bind and IPv6
  2011-12-16 18:18         ` David Miller
@ 2011-12-17 10:52           ` Vincent Bernat
  0 siblings, 0 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-17 10:52 UTC (permalink / raw)
  To: David Miller; +Cc: zenczykowski, netdev, yoshfuji

OoO Pendant  le repas  du vendredi 16  décembre 2011, vers  19:18, David
Miller <davem@davemloft.net> disait :

>> Moreover, I am just adding the IPv6 version of this setting. The IPv4
>> version already exists.

> I don't think the ipv4 feature was a wise thing to add, so just because
> ipv4 has something doesn't automatically make it appropriate to support
> it in ipv6 too.  So please don't use arguments like that.

Here are my arguments against using IP_FREEBIND:
 1. It  needs to be applied to  all services, this will  take years. All
    services will need  an option just for that  (because usually a user
    does not want  to be able to bind  to a non local IP).  We could use
    some hacks with LD_PRELOAD, but that's just an hack.
 2. This option may just be unavailable because it is too low-level. For
    example, it is not available  in Python socket implementation (but I
    can  still  hardcode  the  numerical  value).  If  I  use  some  web
    framework, I will also have hard time to set this option.
 3. This is a Linux only option.

Here are the arguments for a sysctl:
 1. It  is  a system-wide  configuration:  you  configure  VRRP on  your
    system, you enable this sysctl, nothing else to do.
 2. This is essentially a one-line modification. This will be quite easy
    to maintain for years.
 3. This is the natural option for many people. See for example:
     http://thread.gmane.org/gmane.comp.web.haproxy/7317/focus=7318
 4. Without it, people just do horrible things:
     http://thread.gmane.org/gmane.comp.web.haproxy/7317/focus=7321

Did I convince you?
-- 
Vincent Bernat ☯ http://vincent.bernat.im

 /*
  * We used to try various strange things. Let's not.
  */
	2.2.16 /usr/src/linux/fs/buffer.c

^ permalink raw reply	[flat|nested] 14+ messages in thread

* nonlocal_bind and IPv6
@ 2011-12-12 13:18 Vincent Bernat
  0 siblings, 0 replies; 14+ messages in thread
From: Vincent Bernat @ 2011-12-12 13:18 UTC (permalink / raw)
  To: netdev; +Cc: davem

Hi!

It is possible with IPv4 to set net.ipv4.ip_nonlocal_bind to 1 and to
bind to non local addresses. This patch adds the same possibility for
IPv6. Since the IPv4 version is not constrained to a network
namespace, I have followed the same approach for the IPv6
version.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2011-12-17 10:52 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-14 16:20 nonlocal_bind and IPv6 Vincent Bernat
2011-12-14 16:20 ` [PATCH 1/2] net/ipv6: add ip_nonlocal_bind sysctl for IPv6 Vincent Bernat
2011-12-14 16:20 ` [PATCH 2/2] net/ipv4: bind ip_nonlocal_bind to current netns Vincent Bernat
2011-12-16  3:58 ` nonlocal_bind and IPv6 Maciej Żenczykowski
2011-12-16  6:24   ` Vincent Bernat
2011-12-16  7:06     ` David Miller
2011-12-16  9:53       ` Vincent Bernat
2011-12-16 11:10         ` Francois Romieu
2011-12-16 18:20           ` David Miller
2011-12-16 18:18         ` David Miller
2011-12-17 10:52           ` Vincent Bernat
2011-12-16  6:46 ` YOSHIFUJI Hideaki
2011-12-16  9:46   ` Vincent Bernat
  -- strict thread matches above, loose matches on Subject: below --
2011-12-12 13:18 Vincent Bernat

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.