RE: Need clarification on UDP Broadcasting to multiple IOCs on same PC

["Manoussakis, Adamandios via Tech-talk" <tech-talk at aps.anl.gov>]

Hi Ralph,

 

Just to make sure I understand that rule then it is just replacing the header and wireshark would not see that traffic at .255 since its not really being sent to an interface?  If this is the case is there anyway to know for sure the iptables rule is being used if I cant see the traffic at .255 on wireshark?

 

I thought when the EPICS_CA_ADDR_LIST is set to a specified IP address that the UDP are unicasts and when set to the broadcast address .255 then the UDP are broadcasts?  For example if I have my ENV variables EPICS_CA_ADDR_LIST=localhost isn’t the cagets going to be UDP unicasts?  Then if I also have the cagateway setup for EPICS_CA_ADDR_LIST=localhost also shouldn’t the client for the gateway also end up using the firewall iptables rule?  Cant seem to figure out why the client side of the gateway doesn’t seem to use iptables rule then.

 

What is the difference then between EPICS_CA_ADDR_LIST=192.168.0.255, EPICS_CA_SERVER_PORT=5064 and using the iptables rule of routing all 5064 udp traffic to 192.168.0.255:5064 instead of say localhost:5064?

 

Thanks for your help!

 

 

 

From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Ralph Lange via Tech-talk
Sent: Tuesday, December 7, 2021 10:46 AM
To: EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: Re: Need clarification on UDP Broadcasting to multiple IOCs on same PC

 

Hi Adam,

 

On Tue, 7 Dec 2021 at 19:30, Manoussakis, Adamandios via Tech-talk <tech-talk at aps.anl.gov> wrote:

 I have been trying to understand the UDP broadcast requests when having multiple IOCs running on a single host (ubuntu).  I am using the script from https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host and the rule is in place on my host:    0     0 DNAT       udp  --  any    any     anywhere             ubuntu               udp dpt:5064 to:192.168.252.255.  My confusion comes from that when I hook up wireshark to my local interface I am seeing traffic from caget requests but don’t seem to see the broadcast going out (192.168.252.255:5064).  The rule seems like any source traffic pointed at my hostname should get funneled to the broadcast address.

 

That firewall rule works on incoming unicast UDP search requests. It replaces the unicast destination address with the broadcast address to trick the kernel (that gets the message next) into seeing an incoming broadcast message, so that it distributes it to all local processes (CA servers) listening on that port. (And not just to one process, like it would do with incoming unicasts.)

That firewall rule does not reroute or send the messages out; it just replaces (rewrites) a field in the header of incoming messages. It needs to run on the host that is running multiple IOCs.

 

I am running into an issue with my gateway where the gateway is not able to reach all the IOCs but without the gateway it seems to work with the 10 IOCs I have running.  But now I am not so sure its due to the prerouting rule and might be some other magic happening?

 

The differences you are seeing are most likely related to the firewall rule not working properly, while your "direct" CA client is using a different configuration (sending UDP broadcasts) than the client side of the Gateway (sending UDP unicasts).

 

Cheers,
~Ralph