BIND_TO DEVICE and the loopback interface

BIND_TO DEVICE and the loopback interface

Aviv Greenberg avivgnet at gmail.com
Fri Jul 3 18:54:25 IDT 2009 

>From what i understand - you have 3 network interfaces: one for media,
one for management and loopback.

Why don't you create 2 listeners (media+loopback) from the application
- such that only local connections or connections comming from the
media interface (but not the management) are received?

If the above is not for you, you can try to define some netfilter
NAT-like rule (pre route?) that takes any incoming packet where src ip
== 127.0.0.x and dest port == media and changes the src ip to some
fake ip address.


On 03/07/2009, Oleg Goldshmidt <pub at goldshmidt.org> wrote:
>
>  Hi Gilad,
>
>
>  > You have a network server application (it's a SIP UA but that
>  > doesn't matter much) that is bound to an IP on the media network
>  > interface. Because the media and management networks might be
>  > completely different, you use the BIND_TO_DEVICE socket option om
>  > the server sockets so that the kernel will only route traffic for
>  > that socket via that device.
>
>
> I presume you mean SO_BINDTODEVICE. Disclaimer: I don't recall ever
>  using this option myself, so i don't assume I know the intricacies.
>
>  On an intuitive level, I would be very suspicious or any application
>  that does this. Doesn't this imply - unless the app performs a 3rd
>  degree interrogation of the underlying HW and OS - that the platform
>  will have to be configured in a very specific way for the app to work?
>  Isn't it more or less what your friend sees?
>
>  Besides, an app cannot override the OS-level policies (such as
>  routing) as a matter of design, security, etc. I think this is also
>  manifested in this example.
>
>  I think SO_BINDTODEVICE is intended primarily for raw sockets, and
>  those, in turn, are useful for very specific kinds of applications and
>  are not for general application level use.
>
>
>  > (lo), and since the server forces the kernel to only route traffic via
>  > the media interface,
>
>
> Actually, I think a more precise way to phrase it is that the packets
>  that don't arrive at this interface are ignored...
>
>
>  > Required: a solution, generic as possible, extra points for no need to
>  > change server and client apps :-)
>
>
> VLANs?
>
>
>  --
>  Oleg Goldshmidt | pub at goldshmidt.org
>
>
>  _______________________________________________
>  Linux-il mailing list
>  Linux-il at cs.huji.ac.il
>  http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>

More information about the Linux-il mailing list