AW: [Spread-users] RE: set ip to listen to

Stefan Becker sbecker at rapidsoft.de
Fri Mar 14 05:55:17 EDT 2008 

Hi Jonathan,

Thanks for your detailed reporting. I checked out what you said and of course, you are right. Udp is showing up with its source parameters, in my case 0.0.0.0:33022.  My problem is still that this port is open to the outside, it even shows up in port scan we do from the "outside". So we (me and Moritz) digged a little into the spread sources and played around with some php test udp scripts just to get the thing right. I attached a little patch which just calls bind() for every "sending" udp channel (channel_type = 1). Usually you only do this when you want to receive on that udp port (4803 and 4804). With our patch the udp source ip is set to the internal ip as well and everything is fine. There should be no speed penalty since we call it only once in DL_init_channel().

The patch works with 3.17.2 and the current 4.0 and i tested it with two spread daemons on 2 servers via the internal interface. I used spuser on both machines and did some group joining, group exiting and of course sending messages.

It would be good if some of the core hackers could have a look at it. From our point of view this looks good and it works. We think there should not be an "open port" for those udp senders because you could send data to it etc. Maybe we got it wrong :)

Greets,
stefan

-----Ursprüngliche Nachricht-----
Von: Jonathan Stanton [mailto:jonathan at cnds.jhu.edu]
Gesendet: Mittwoch, 12. März 2008 17:03
An: Stefan Becker
Cc: spread-users at lists.spread.org
Betreff: Re: [Spread-users] RE: set ip to listen to

Hello,

I thought it was a bit odd at first to, so I looked into it. I'll give
an example from my machine and what each socket is used for. In your
case, I think the extra UDP socket that is showing up is a socket used
to 'send' udp datagrams from Spread, but is never used to receive, so it
is not bound to a specific interface or port.

Here is my full list. I used lsof instead of netstat as the Mac version
of netstat doesn't show the program name like the linux netstat -lp
does.

Goldberry:mac jonathan$ lsof -n -i | grep spread
spread    40116 jonathan    3u  IPv4 0x3bbf518      0t0  UDP 10.0.1.150:4803
spread    40116 jonathan    4u  IPv4 0x3bc2380      0t0  UDP 10.0.1.150:4804
spread    40116 jonathan    5u  IPv4 0x3bbfd88      0t0  UDP *:*
spread    40116 jonathan    6u  IPv4 0x3dfc66c      0t0  TCP 10.0.1.150:4803 (LISTEN)
spread    40116 jonathan    7u  unix 0x7ff46e8       0t0    /tmp/4803
spread    40116 jonathan    8u  IPv4 0x3bbf5f0      0t0  UDP *:*

First line (file descriptor 3) is the main socket for receiving
daemon-to-daemon data messages. If you have a multi-node configuration
you will also see a UDP/IP socket bound to your "broadcast" address and
port 4803. This is needed on most unixes to receive broadcast/multicast
traffic when you are binding to specific interfaces. This is controlled
by the configuration file "D" option.

Second line (fd 4) is the main socket for the daemon receiving the Token
that controls flow and reliablity. This is controlled by the
configuration file "D" option

Third line (fd 5) is the UDP Sending socket, so 'bind()' is never called
for it as it is only used to send outgoing udp datagrams. Since it is
only sending, it is not bound to a specific interface.

Fourth line (fd 6) is the socket listening for TCP client connections.
This is controlled by the configuration file "C" option.

Fifth line (fd 7) is used for the UNIX domain socket for client
connections on the local machine.

Sixth line (fd 8) is a UDP socket created to SEND status reports to the
monitor program. The incoming datagrams from the monitor program are
received on the main daemon socket (4803), but sending the status report
messages back uses it's own socket. This is not controlled by the
configuration file, but is only used for sending and the port number is
assigned from the ephermeal ports when a datagram is sent.

So I think there is not any problem with the extra udp socket existing,
as it is only used to send. The only reason it shows up in your list is
that we don't 'create' the socket only when we want to send traffic, but
leave it up all the time.

If you still think that's a problem or want to talk about it just let me
know.

Cheers,

Jonathan

On Fri, Mar 07, 2008 at 11:25:01AM +0100, Stefan Becker wrote:
> Hi daniel (and jonathan),
>
> Thanks for your replies. I did what you said and netstat -lpn got a little better. But there is still one entry which shouldnot be there:
>
> m1:~# netstat -lpn | grep spread
> tcp        0      0 10.10.100.10:4803       0.0.0.0:*               LISTEN     12168/spread
> udp        0      0 10.10.100.10:4803       0.0.0.0:*                          12168/spread
> udp        0      0 10.10.100.10:4804       0.0.0.0:*                          12168/spread
> udp        0      0 0.0.0.0:47086           0.0.0.0:*                          12168/spread
> unix  2      [ ACC ]     STREAM     HÖRT          798406539 12168/spread        /tmp/4803
> m1:~#
>
> Here is my spread config:
>
> Spread_Segment 10.10.100.255 {
>
>         m1 10.10.100.10 {
>            D 10.10.100.10
>            C 10.10.100.10
>         }
>
> }
>
> Other than that i didnot change the default spread config. I am using spread  Version 3.17.02 Built 5/March/2004 (debian package). I start spread with:
>
> m1:~# spread -n m1
>
> I use supervise for process monitoring just for info.
>
> Any other ideas?
>
> Greets,
> stefan
>
> -----Ursprüngliche Nachricht-----
> Von: Daniel F. Savarese [mailto:dfs at savarese.org]
> Gesendet: Donnerstag, 14. Februar 2008 18:08
> An: Stefan Becker
> Betreff: Re: [Spread-users] set ips to listen on
>
>
> I wrote:
> >If you don't want to hack spread to bind to a specific interface, then
> >you have to install firewall rules to prevent outside access.  That's
>
> Sorry for replying.  Obviously, I didn't know what I was talking about.
> As Jonathan indicated, the following works to force binding only to
> a specific interface (in this case, localhost):
>
> Spread_Segment  127.0.0.255:4803 {
>   localhost 127.0.0.1 {
>     D 127.0.0.1
>     C 127.0.0.1
>   }
> }
>
> _______________________________________________
> Spread-users mailing list
> Spread-users at lists.spread.org
> http://lists.spread.org/mailman/listinfo/spread-users

--
-------------------------------------------------------
Jonathan R. Stanton         jonathan at cs.jhu.edu
Dept. of Computer Science
Johns Hopkins University
-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spread-bind.patch
Type: application/octet-stream
Size: 1254 bytes
Desc: spread-bind.patch
Url : http://lists.spread.org/pipermail/spread-users/attachments/20080314/788b3b11/attachment.obj

More information about the Spread-users mailing list