Experimental Physics and
Industrial Control System

Benjamin Franksen via Tech-talk <[email protected]> · Mon, 8 Apr 2019 17:28:47 +0200

Am 05.04.19 um 14:28 schrieb Dirk Zimoch via Tech-talk:
> I Installed it (without ca-2/tcp) and it work fine.

We found that such firewall rules do not work well in combination with
multiple soft IOCs on Linux. The problem is that for multiple CA servers
on the same machine to work as expected, it is necessary to add certain
iptables rules (see
https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host)
that convert incoming UDP unicasts (name resolution requests) to
broadcasts, internally. Unicasts will be sent when the client sets
EPICS_CA_ADDR_LIST to request a specific server.

The iptables solution is quite elegant but has an unfortunate
side-effect: the source port of the response packets will be re-written
to some randomly chosen ephemeral port. And that port doesn't match the
ports configured for the firewall, so the firewall doesn't let them
through. It is hard to find documentation for this behavior of iptables
on the internet. The keyword here is "implicit source port mapping".

We have been thinking about this problem for a while. I think the only
clean solution is for EPICS to offer something similar to the already
existing caRepeater, only for the server side. Let me call this thing
the "casRepeater". Similar to the CA client with the caRepeater, each CA
server would on startup try to locate a running instance of the
casRepeater, or else start a new one, then register with it. The task of
the casRepeater is to listen on port 5065 for unicasts and then forward
them to all registered CA servers.

Cheers
Ben

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System