On Thu, 2012-11-15 at 11:18 +0100, Florian Weimer wrote: > On 11/13/2012 11:44 PM, Andrew Stitcher wrote: > > I've been working on getting the qpid C++ broker to listen only on specific > > network interfaces if that is desired. > > I think that this isn't possible on most systems because IP addresses > belong to the system, not individual interfaces. But I think that it is > sufficient to explain in the documentation that configuring interfaces > only affects the addresses picked up by Qpid, and does not directly > prevent hosts on other interfaces from connecting to the service. >
I'm not sure I understand what you are saying here: Network interfaces have configured addresses and you can discover which addresses are configured to which interfaces - on Unix one user command that can do this is "ifconfig". So listening on a network interface is equivalent to listening on all interfaces of that interface. It is true that this is assuming that addresses are fixed to interfaces which is not strictly true, but for many server type cases is true enough. See your other point below. > > * Error behaviour > > > > The broker may be unable (for whatever reason) to listen on the > > specified ports (Perhaps the specified network interface doesn't exist; > > perhaps the specified address isn't actually an address of a connected > > interface etc.). In this case we will not fall back to listening on > > every network interface - the assumption here is that specifying some > > interfaces is a deliberate restriction, quite possibly for security > > reasons and so we must "fail safe" and not expose the broker to > > potentially hostile network traffic because of a misconfiguration. > > Do you intend to retry periodically, checking if the configured > interface has come up? I think NetworkManager can generate events which > would help with that. But other software does this as well (ntpd, for > example). That is not intended (at this point in any case) as I'm not aware of any portable (POSIX or even Win32) way of being notified of an address appearing. It certainly is a factor to consider, I must admin I'm not sure what the current behaviour would be for interfaces that come up during the running of qpidd. If you are listening on the "any" address do you get incoming connections on interfaces that appear after you are started? Andrew > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
