BIND_TO DEVICE and the loopback interface
Oleg Goldshmidt
pub at goldshmidt.org
Fri Jul 3 13:23:48 IDT 2009
Hi Gilad,
> You have a network server application (it's a SIP UA but that
> doesn't matter much) that is bound to an IP on the media network
> interface. Because the media and management networks might be
> completely different, you use the BIND_TO_DEVICE socket option om
> the server sockets so that the kernel will only route traffic for
> that socket via that device.
I presume you mean SO_BINDTODEVICE. Disclaimer: I don't recall ever
using this option myself, so i don't assume I know the intricacies.
On an intuitive level, I would be very suspicious or any application
that does this. Doesn't this imply - unless the app performs a 3rd
degree interrogation of the underlying HW and OS - that the platform
will have to be configured in a very specific way for the app to work?
Isn't it more or less what your friend sees?
Besides, an app cannot override the OS-level policies (such as
routing) as a matter of design, security, etc. I think this is also
manifested in this example.
I think SO_BINDTODEVICE is intended primarily for raw sockets, and
those, in turn, are useful for very specific kinds of applications and
are not for general application level use.
> (lo), and since the server forces the kernel to only route traffic via
> the media interface,
Actually, I think a more precise way to phrase it is that the packets
that don't arrive at this interface are ignored...
> Required: a solution, generic as possible, extra points for no need to
> change server and client apps :-)
VLANs?
--
Oleg Goldshmidt | pub at goldshmidt.org
More information about the Linux-il
mailing list