* assigning an entire subnet of addresses to an interface
@ 2013-02-03 20:51 David Madore
2013-02-03 21:45 ` Lukas Tribus
0 siblings, 1 reply; 4+ messages in thread
From: David Madore @ 2013-02-03 20:51 UTC (permalink / raw)
To: Linux Netdev Mailing-List
Dear list,
Is there a way to assign an entire subnet of (typically IPv6)
addresses to an interface? For example, I'd like to assign the entire
2001:db8:f00f::/48 prefix to eth42 without actually running 2^80
separate "ip addr add" commands.
I'm aware that (with sufficiently recent kernels) one can do this:
ip -6 route add local 2001:db8:f00f::/48 dev lo
- which will cause packets received for any address in this subnet to
be handled locally. But that doesn't really answer my question,
because this does not allow local processes to bind to any desired
address in the subnet (e.g., running "socat
'TCP6-LISTEN:9876,bind=[2001:db8:f00f::3141:5926]'" fails with
EADDRNOTAVAIL).
Now apparently Linux _does_ have features which allow a process to
bind to any desired address in a subnet, since this is the case for
the IPv4 127.0.0.0/8 standard loopback (I can run "socat
'TCP-LISTEN:9876,bind=[127.1.2.3]' -" without error). In a naïve
move, I tried to reproduce the output of ip addr show for the
127.0.0.0/8 subnet as input, but failed (there's an extra word "lo" in
the output that ip does not allow back as input). Is this because
this subnet is really magical to the kernel, or because ip input
parsing is incomplete, or for some other reason?
If the feature is not presently available in Linux, is there some hope
that it eventually will be? How hard would it be to add it?
Thanks in advance,
--
David A. Madore
( http://www.madore.org/~david/ )
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: assigning an entire subnet of addresses to an interface
2013-02-03 20:51 assigning an entire subnet of addresses to an interface David Madore
@ 2013-02-03 21:45 ` Lukas Tribus
2013-02-03 22:00 ` David Madore
0 siblings, 1 reply; 4+ messages in thread
From: Lukas Tribus @ 2013-02-03 21:45 UTC (permalink / raw)
To: david+ml, netdev
The feature you are looking for is called "Transparent proxy support" or
TPROXY, and is in the kernel since 2.6.28.
This allows an application to bind to any address and handle that traffic.
One of the applications supporting this feature is HAproxy:
http://cbonte.github.com/haproxy-dconv/configuration-1.5.html#5-transparent
> Date: Sun, 3 Feb 2013 21:51:24 +0100
> From: david+ml@madore.org
> To: netdev@vger.kernel.org
> Subject: assigning an entire subnet of addresses to an interface
>
> Dear list,
>
> Is there a way to assign an entire subnet of (typically IPv6)
> addresses to an interface? For example, I'd like to assign the entire
> 2001:db8:f00f::/48 prefix to eth42 without actually running 2^80
> separate "ip addr add" commands.
>
> I'm aware that (with sufficiently recent kernels) one can do this:
>
> ip -6 route add local 2001:db8:f00f::/48 dev lo
>
> - which will cause packets received for any address in this subnet to
> be handled locally. But that doesn't really answer my question,
> because this does not allow local processes to bind to any desired
> address in the subnet (e.g., running "socat
> 'TCP6-LISTEN:9876,bind=[2001:db8:f00f::3141:5926]'" fails with
> EADDRNOTAVAIL).
>
> Now apparently Linux _does_ have features which allow a process to
> bind to any desired address in a subnet, since this is the case for
> the IPv4 127.0.0.0/8 standard loopback (I can run "socat
> 'TCP-LISTEN:9876,bind=[127.1.2.3]' -" without error). In a naïve
> move, I tried to reproduce the output of ip addr show for the
> 127.0.0.0/8 subnet as input, but failed (there's an extra word "lo" in
> the output that ip does not allow back as input). Is this because
> this subnet is really magical to the kernel, or because ip input
> parsing is incomplete, or for some other reason?
>
> If the feature is not presently available in Linux, is there some hope
> that it eventually will be? How hard would it be to add it?
>
> Thanks in advance,
>
> --
> David A. Madore
> ( http://www.madore.org/~david/ )
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: assigning an entire subnet of addresses to an interface
2013-02-03 21:45 ` Lukas Tribus
@ 2013-02-03 22:00 ` David Madore
2013-02-03 22:35 ` David Madore
0 siblings, 1 reply; 4+ messages in thread
From: David Madore @ 2013-02-03 22:00 UTC (permalink / raw)
To: netdev; +Cc: Lukas Tribus
On Sun, Feb 03, 2013 at 10:45:45PM +0100, Lukas Tribus wrote:
> The feature you are looking for is called "Transparent proxy support" or
> TPROXY, and is in the kernel since 2.6.28.
>
> This allows an application to bind to any address and handle that traffic.
This is indeed, interesting, and I'm glad you pointed out this
possibility, because it had escaped my radar. (Note that there are
two slightly different things, though: the TPROXY iptables/ip6tables
target which redirects packets to a local socket, and the IP-level
IP_TRANSPARENT socket option which allows a user application to bind
to an arbitrary address. The latter is closer to what I was asking.)
However, this still does not really answer my question: to bind to
127.1.2.3 one does not need to do a prior setsockopt(fd, SOL_IP,
IP_TRANSPARENT, &1), so the kernel does seem to have a way to say "for
this entire subnet, it will be possible to bind to any address without
doing anything special".
Happy hacking,
--
David A. Madore
( http://www.madore.org/~david/ )
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: assigning an entire subnet of addresses to an interface
2013-02-03 22:00 ` David Madore
@ 2013-02-03 22:35 ` David Madore
0 siblings, 0 replies; 4+ messages in thread
From: David Madore @ 2013-02-03 22:35 UTC (permalink / raw)
To: netdev; +Cc: Lukas Tribus
On Sun, Feb 03, 2013 at 11:00:57PM +0100, David Madore wrote:
> This is indeed, interesting, and I'm glad you pointed out this
> possibility, because it had escaped my radar. (Note that there are
> two slightly different things, though: the TPROXY iptables/ip6tables
> target which redirects packets to a local socket, and the IP-level
> IP_TRANSPARENT socket option which allows a user application to bind
> to an arbitrary address. The latter is closer to what I was asking.)
Another related and interesting IP-level socket option is IP_FREEBIND.
I suppose the different between IP_FREEBIND and IP_TRANSPARENT is that
the former does not cause any routing changes, but the net effect is
that, after the "ip -6 route add local 2001:db8:f00f::/48 dev lo"
command that I had contemplated, binding with IP_FREEBIND does allow
the socket to obtain packets destined to an arbitrary address inside
the subnet. Without requiring administrator privileges (of course,
they are required to run the ip route command).
But I'd still be happier if there were some way that required
absolutely no modification on the userland side after a few
administrative commands to make the prefix available.
--
David A. Madore
( http://www.madore.org/~david/ )
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-02-03 22:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-03 20:51 assigning an entire subnet of addresses to an interface David Madore
2013-02-03 21:45 ` Lukas Tribus
2013-02-03 22:00 ` David Madore
2013-02-03 22:35 ` David Madore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox