Experimental Physics and
Industrial Control System

On 12/6/19 10:48 PM, J. Lewis Muir wrote:
> On 12/06, Goetz Pfeiffer via Core-talk wrote:
>> I would like to hear your comments and suggestions regarding this topic.
>>
>> The changes consist of three parts:
>>
>> - Define networks to be ignored by servers with environment variable
>>   EPICS_CAS_IGNORE_NET_LIST
> What about just using EPICS_CAS_IGNORE_ADDR_LIST but extending its
> syntax to allow specifying networks (e.g., 192.168.12.0/24)?  Or you
> could extend the syntax to allow specifying a range with a ".." literal
> (e.g., 192.168.12.0..255)?
>
> It seems a bit weird to have two separate variables: one for addresses
> and one for networks.  You're still trying to specify a list of
> addresses, you're just wanting to introduce the ability to specify a
> range of addresses in a short form.
>
>> - Define networks to be ignored by clients with environment variable
>>   EPICS_CA_IGNORE_NET_LIST
> Similar comment here as above.  What about just adding
> EPICS_CA_IGNORE_ADDR_LIST instead, and using it like
> EPICS_CAS_IGNORE_ADDR_LIST?
>
> Lewis

Hello,

EPICS_CAS_IGNORE_ADDR_LIST is in the end scanned by function aToIPAddr in aToIPAddr.c.
As you can see there this supports various formats like:

192.167.18.10
192.167.18.10:6064
3232174602
3232174602:6064
myhost.example.com
myhost.example.com:6064

However, for defining an IP subnet, you don't need a port number, you cannot use a
DNS hostname and a raw integer is not really needed.

I thought it a cleaner approach to have IP subnets with the "dotted decimal" address
notation in a separate variable instead of mixing it with entries in EPICS_CAS_IGNORE_ADDR_LIST.

A variable EPICS_CA_IGNORE_ADDR_LIST does not exist up to now, in order for name
consistency I named my variable EPICS_CA_IGNORE_NET_LIST.

An IP range would be more flexible than the the CIDR or ADDR:MASK specification of
a subnet. If there us a consensus that this is needed. this could be implemented. I thought
the usual case is you want to specify subnets.

Greetings

  Goetz

Attachment: signature.asc
Description: OpenPGP digital signature

Replies:

Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk

References:

Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Goetz Pfeiffer via Core-talk

Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security J. Lewis Muir via Core-talk

Navigate by Date:

Prev: Build failed: EPICS Base base-7.0-489 AppVeyor via Core-talk

Next: Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk

Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  <2019>  2020  2021  2022  2023  2024 

Navigate by Thread:

Prev: Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security J. Lewis Muir via Core-talk

Next: Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk

Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  <2019>  2020  2021  2022  2023  2024