SINGLESOCK - How much to strip away?

Eric S. Raymond esr at thyrsus.com
Wed May 30 09:11:23 UTC 2018 

(Consolidating replies to three messages.)

>recvmsg() gets you the interface index, not name.  If you want to filter by
>name, you have to maintain a index to name array.  Doing that once is
>probably reasonably clean.  Keeping it up to date might get interesting.

You're talking about case ALPHA where we can't get rid of the code to
walk over interfaces anyway. We'd just walk that list every time we
get a packet and name filtering is on.  Either that or we rebuild your
lookaside list every time we get a routing notification.

>Is there a clean way to get notified when an interface comes or goes?

Yes, that's what routing sockets gives you - notification when there's
a routing change.  (I don't understand the details well, but this seems
to be the big picture.)

>"listens on all interfaces" it misleading to me.  It sounds like you mean one
>socket per interface when I think you really want to say wildcard.

Correct. Sorry for the confusion.

>Did you really mean external in "distrust of external packet filtering"?  I
>thought the idea was to trust somebody else because a good admin wouldn't
>trust us (aka internal).

You are right, I should have written "internal".

>Case GAMMA:
>> The entire interface directive goes away, failing loudly.  The -I and -L
>> options stay.
>
>That combination doesn't make any sense to me.
>
>Both -I and -L are already deprecated with a suggestion to use the interface
>command in the configurationfile.  Why would we keep them when deleting the
>thing users are supposed to switch to?

I agree. I'm not in favor of this combination.  But apparently Gary and Jason
want to keep some sort of explicit interface selection.  I don't know why.

>The man page for ntp.conf says:
>           Default restriction list entries with the flags ignore, interface,
>           ntpport, for each of the local host's interface addresses are
>           inserted into the table at startup to prevent the server from
>           attempting to synchronize to its own time.
>
>Has anybody confirmed that the current code maintains that when interfaces
>change?

I have not checked this.

>Does that mean that we need to maintain the ability to track interface
>changes no matter how many interfaces we listen on.

The code is written as though it works if there is no routing-socket
facility.  So my guess is that this default setup is not really needed
- it's belt-and-suspenders against the possibility of an admin
misconfiguring to poll one of his own local addresses.  I don't see
how else that loop could be initiated, now that anycast and brodcast
receive are gone.

>Do you a good example?  Google found one.  My best guess so far is that
IP_PKTINFO is a socket option and there is an assumption in recvmsg/sendmsg
that there are no other options that would use "control" info.

That seems to be correct.  There's example code at the Stack Interface answer
I included a link to.

>I can't find either IP_PKTINFO or in_pktinfo in /usr/include/ on FreeBSD.  Is
>this going to be fatal?

https://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=7&manpath=SuSE+Linux%2Fi386+11.0&format=ascii

Search for IP_PKTINFO.  It's documented there.  I don't know where the header
is lurking, though; that is a bit odd.

>OpenBSD has IN6P_PKTINFO and in6_pktinfo.  I don't see anything for IPv4.

https://man.openbsd.org/NetBSD-7.1/ip.4

Considering how old RFC 3542 is (2003) it would be quite astonishing if this were
not implemented everywhere.

>Even if we have a single socket, do we still need to track interface changes?

If we're listening to all incoming traffic, I don't think so.  A
packet's interface only matters if we have configuration features that
select on it.  This is why I like Case OMEGA - we'd just heave all
that configuration crap overboard and not care.

>The interface configuration command has two cases: specify by interface name
>and specify by IP address.  The IP address stuff is simple.  Or at least
>simpler.  We don't have to worry about tracking interfaces.

Agreed.

>If you were an admin and wanted to take packets from the red cable and
>ignore packets from the blue cable, how would you set things up?  Would you
>filter by interface name or IP Address?

Ask a large-site admin, someone like Matt Selsky.  I'm not one, I've never set
up anything like that.

>Are the cases where we want to use -I or the interface configure commands a
>subset of our total target that doesn't need interface tracking?  I think
>that may work if you have static IP Addresses and filter by IP address rather
>than interface name.  If you use DHCP, I think you need interface tracking.

Agreed.  But again, if you don't internally filter by interface, nor
select interfaces with -I and -L, you never need to track routing changes
to begin with.

Stepping back a bit...I don't think I've ever seen a live ntp.conf
file with an 'interface' directive in it. Have you?  Has anyone else?
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.

More information about the devel mailing list