James,
I added these functions below to filter ip addresses we get from
VOP_IOCTL(SIOCGLIFCONF).
I also look at (lp->lifr_flags & (IFF_LOOPBACK|IFF_ANYCAST)) after
VOP_IOCTL(SIOCGLIFFLAGS)
1) It seems these are redundant checks and I could just filter based on
address and not do the extra ioctl for the flags.
Do you have a feel for which is more reliable ?
2) I'm not sure I want to filter on IN6_IS_ADDR_LINKLOCAL(addr6). Isn't
it possible for the initiator
and target to be on the same local net and connect on these addresses?
thanks,
-jim
/*
* IP address filter functions to flag addresses that should not
* go out to initiators through discovery.
*/
static boolean_t
idm_v4_addr_okay(struct in_addr *in_addr)
{
in_addr_t addr = ntohl(in_addr->s_addr);
if ((INADDR_NONE == addr) ||
(IN_MULTICAST(addr) ||
((addr >> IN_CLASSA_NSHIFT) == 0) ||
((addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
return (B_FALSE);
}
return (B_TRUE);
}
static boolean_t
idm_v6_addr_okay(struct in6_addr *addr6)
{
if ((IN6_IS_ADDR_UNSPECIFIED(addr6) ||
(IN6_IS_ADDR_LOOPBACK(addr6)) ||
(IN6_IS_ADDR_MULTICAST(addr6)) ||
(IN6_IS_ADDR_V4MAPPED(addr6)) ||
(IN6_IS_ADDR_V4COMPAT(addr6)) ||
(IN6_IS_ADDR_LINKLOCAL(addr6))) {
return (B_FALSE);
}
return (B_TRUE);
}
On 09/23/08 14:47, James Carlson wrote:
Jim Moore writes:
I have to confess this code was modeled after the current target daemon
without
further consideration. We do realize that the interfaces given out may
not be
reachable by the initiator. The idea is that the initiator is given 1
good address
and can use that to acquire more addresses for multipathing or iSCSI
protocol
level trunking. In a well designed network, the targets are confined to
adminsitrator
assigned interfaces and those are the only ones given out. But if the
administrator
doesn't specify, then the "kitchen sink" code kicks in and hands out
everything
(except loopback).
I'm still pretty skeptical of this design, but if this "must" be done
(rather than doing the obvious thing: handing out exactly *one*
address from getsockname when the administrator doesn't specify a
list), then I think you're on the hook to filter out any bogons that
might appear.
Assuming you have an IPv4 address in network byte order, code like
this should test the address reasonably:
boolean_t
address_is_ok(in_addr_t addr)
{
in_addr_t hostaddr = ntohl(addr);
if (IN_MULTICAST(hostaddr) || hostaddr == INADDR_NONE)
return (B_FALSE);
if ((hostaddr >> IN_CLASSA_NSHIFT) == 0 ||
(hostaddr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
return (B_FALSE);
return (B_TRUE);
}
For IPv6, it's quite a bit harder to check, because there are several
flavors of "bad" addresses. You'll probably want to exclude addresses
that match with any of these:
IN6_IS_ADDR_UNSPECIFIED
IN6_IS_ADDR_LOOPBACK
IN6_IS_ADDR_MULTICAST
IN6_IS_ADDR_V4MAPPED
IN6_IS_ADDR_V4COMPAT
You may also need to check for (and exclude) this, unless you happen
to know that the peer is on the *same* link:
IN6_IS_ADDR_LINKLOCAL
The tests above won't avoid problems with routing unreachability, but
at least they're not testing for just "lo0".
_______________________________________________
networking-discuss mailing list
[email protected]
