On 11/15/2012 03:50 PM, Andrew Stitcher wrote:
On Thu, 2012-11-15 at 11:18 +0100, Florian Weimer wrote:
On 11/13/2012 11:44 PM, Andrew Stitcher wrote:
I've been working on getting the qpid C++ broker to listen only on specific
network interfaces if that is desired.
I think that this isn't possible on most systems because IP addresses
belong to the system, not individual interfaces. But I think that it is
sufficient to explain in the documentation that configuring interfaces
only affects the addresses picked up by Qpid, and does not directly
prevent hosts on other interfaces from connecting to the service.
I'm not sure I understand what you are saying here: Network interfaces
have configured addresses and you can discover which addresses are
configured to which interfaces - on Unix one user command that can do
this is "ifconfig". So listening on a network interface is equivalent to
listening on all interfaces of that interface.
"Listening to an interface" sounds like the system will only accept
connections which arrive on that interface. This is not the case
because most systems follow the weak end system model, and unless
host-based packet filters are configured, any address is reachable over
any interface (including 127.0.0.1).
Do you intend to retry periodically, checking if the configured
interface has come up? I think NetworkManager can generate events which
would help with that. But other software does this as well (ntpd, for
example).
That is not intended (at this point in any case) as I'm not aware of any
portable (POSIX or even Win32) way of being notified of an address
appearing.
Windows has APIs for that:
<http://msdn.microsoft.com/en-us/library/windows/desktop/aa366071%28v=vs.85%29.aspx>
I don't think POSIX standardizes anything related to network interfaces,
so you're stuck with non-portable APIs anyway.
> It certainly is a factor to consider, I must admin I'm not
sure what the current behaviour would be for interfaces that come up
during the running of qpidd. If you are listening on the "any" address
do you get incoming connections on interfaces that appear after you are
started?
If you listen on 0.0.0.0/::, a service becomes reachable on any
additional addresses the host might receive.
--
Florian Weimer / Red Hat Product Security Team
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
