Re: Can't properly restrict IOC CA server to an interface

[Jure Varlec via Tech-talk <tech-talk at aps.anl.gov>]

Hi Michael,

> Binding a socket to a specific interface doesn't always work so well
> when that interface disappears and reappears.  You mention "wifi" and
> "after a reboot or several", this makes me wonder if your network
> interface(s) are being deleted and recreated.

I agree that could be a problem if the IOC would be started during boot.

But it is not. This is my development system and I'm starting the IOC

manually, after all the interfaces are already set up. So I don't think this

is it, or at least, I don't see how it could be.

I brought out the debugger and dug into the code today. The socket is

bound, so I don't see why a "random" source address would be chosen

by the OS. I went a step further and extended cas_send_dg_msg(): I

replaced sendto() with sendmsg(), adding ancillary message data

via IP_PKTINFO socket option in order to override the source address.

It "works", in the sense that if I use a non-existent address, the sending

fails. However, if I use a valid source address, the IP header will contain

the address of the WiFi interface instead.

This is totally bizarre. I'm now convinced that the OS is rewriting the

address after the packet leaves the IOC, but I don't know how or why.

I quote the relevant part of systemd-networkd config below if anyone

has experience with a similar setup. I don't see anything special. Is it

possible that a bridge interface with an IP behaves differently than

a physical interface? AFAIK, assigning an IP address to a bridge is

standard practice and recommended, but I could be mistaken.

Best,

Jure

==> 20-machines.netdev <==
[Match]
Host=*

[NetDev]
Kind=bridge
Name=machines


==> 20-machines.network <==
[Match]
Name=machines

[Network]
Address=10.1.1.1/24
DHCPServer=true
IPForward=true
IPMasquerade=true

[DHCPServer]
DNS=10.1.1.1
EmitDNS=true
PoolOffset=128
PoolSize=100