Subject: Re: Flag to exclude an interface from INADDR_ANY?
To: None <tech-net@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 01/02/2002 11:55:34
> Many daemons, including named, sshd, and sendmail, can be explicitly
> given a set of interfaces to listen on. [...]
> Other daemons, including those mentioned, can only listen on
> INADDR_ANY. At this point, there is _no_ way to prevent them from
> listening on an outside interface. This would be addressed by the
> new flag.
Surely the right place to address this is the offending daemons, not by
having the OS trying to hide some interfaces from them! (And worse,
not just from them, but from everyone, and in a really peculiar sense.)
It does occur to me that what you really want here is the ability to
specify a subset (not necessarily a proper subset) of the machine's
addresses that INADDR_ANY listens to, preferably per-process (maybe
even per-socket, though there's no obvious way to name sockets outside
the context of a specific process). Marking interfaces is almost
certainly not the right way to do with this; if nothing else, it does
not permit any control over interfaces that may appear in the future.
Perhaps more importantly, it is the Wrong Thing if an interface has
both an address that should be listened on and an address that
shouldn't; you really want it per-address, not per-interface.
IOW, while it may be a good enough fix for your environment, and as
such may be a right thing for you, I would argue it is not generally
enough Right to go into the tree.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B