On Tue, Feb 12, 2013 at 07:42:08AM -0500, David Coulson wrote:
>
> On 2/12/13 7:38 AM, Cornelius Riemenschneider wrote:
> >RE: Problems with 1.5-dev17 and bind to interface
> >
> >Ah okay, I expected bind :*12340 interface eth1 to listen to traffic
> >coming to the interface, not to bind to al ips which are bound to the
> >interface at the moment of starting haproxy. If that's really the
> >case, the documentation of bind interface could be improved.
> >
> There isn't a concept of 'bind to port 12345 on interface eth1'. It's
> either bind to *:12345 or x.x.x.x:1234
No David, Cornelius is right. "interface eth1" means that a call to
setsockopt(SO_BINDTODEVICE) is performed before the bind() to tell the
kernel that only traffic coming from *this* only interface is accepted
on this socket. It does nothing else and is not related to any address.
Haproxy does nothing else (and cannot do anything else) to selectively
accept traffic. So if some traffic still slips through, I can only see
two possibilities :
- sometimes the traffic enters via another interface. This can happen
for example when two interfaces are attached to the same LAN, because
the traffic randomly comes via the interface that responds to the ARP
request ;
- there's a bug in the kernel causing some incoming connections on one
interface to be delivered to a socket which is explicitly bound to
another one. that would be rather strange but still possible.
Cornelius, do you have an idea of the rate of connections that are
incorrectly accepted and which should not ? Do you log them ? Maybe
you'll discover that they really come from the interface you're bound
to (eg: another devices sending regular checks over this interface while
you're testing on another one).
Regards,
Willy
