Am 05.04.19 um 14:28 schrieb Dirk Zimoch via Tech-talk:
> I Installed it (without ca-2/tcp) and it work fine.
We found that such firewall rules do not work well in combination with
multiple soft IOCs on Linux. The problem is that for multiple CA servers
on the same machine to work as expected, it is necessary to add certain
iptables rules (see
https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host)
that convert incoming UDP unicasts (name resolution requests) to
broadcasts, internally. Unicasts will be sent when the client sets
EPICS_CA_ADDR_LIST to request a specific server.
The iptables solution is quite elegant but has an unfortunate
side-effect: the source port of the response packets will be re-written
to some randomly chosen ephemeral port. And that port doesn't match the
ports configured for the firewall, so the firewall doesn't let them
through. It is hard to find documentation for this behavior of iptables
on the internet. The keyword here is "implicit source port mapping".
We have been thinking about this problem for a while. I think the only
clean solution is for EPICS to offer something similar to the already
existing caRepeater, only for the server side. Let me call this thing
the "casRepeater". Similar to the CA client with the caRepeater, each CA
server would on startup try to locate a running instance of the
casRepeater, or else start a new one, then register with it. The task of
the casRepeater is to listen on port 5065 for unicasts and then forward
them to all registered CA servers.
Cheers
Ben
Attachment:
signature.asc
Description: OpenPGP digital signature
- Replies:
- Re: firewalld configuration for EPICS? Goetz Pfeiffer via Tech-talk
- Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- References:
- firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Jörn Dreyer via Tech-talk
- Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Navigate by Date:
- Prev:
Re: asynMotor device support and the motor specific driver (asynMotorContorller) Allan Serra Braga Bugyi via Tech-talk
- Next:
RE: drvAsynIPPortConfigure and I/O Intr with asynRecord possible? Mark Rivers via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Next:
Re: firewalld configuration for EPICS? Goetz Pfeiffer via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
|