--On Wednesday, December 10, 2008 08:34:29 AM -0500 Derrick Brashear
<[EMAIL PROTECTED]> wrote:
On Wed, Dec 10, 2008 at 7:30 AM, Felix Frank <[EMAIL PROTECTED]> wrote:
So I should only have a NetInfo file (as I currently do)?
That being the case, why would the IP address ACLs stop working after a
period of time, and required the AFS client to be restarted?
You could probably use tcpdump to determine wether interfaces other than
the ACL'ed NIC are being used by the client. (No, it's not limited to
TCP.)
Since without a bound socket, the kernel may transmit your packets from
any interface and not just the one whose IP address you permit, it's
pretty likely that eventually packets will come from the wrong place.
Hence the -rxbind suggestion.
Furthermore, the fileserver bases its access control decisions on the
address that you actually used, never on one you advertise. The fileserver
caches the result of this lookup, so changing source addresses will not
immediately result in a change in access rights, but since the cache is
refreshed periodically, it can result in a change later.
If you have a multi-homed machine and want to be sure you are getting the
access rights you intend, you need to either put all of the machine's
addresses on the ACL, or insure that all requests sent to the fileserver
come from the address you intended. rxbind is one way to accomplish the
latter.
-- Jeff
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
