Anand Buddhdev
2017-Dec-13 09:23 UTC
[nsd-users] Wrong source IP for reply if 'ip-address' is not specified
On 13/12/2017 10:01, Alarig Le Lay wrote: Hi Alarig,> If I don?t specify the IP addresses on which NSD should bind, the IP > address used for the reply is the one attached to interface instead of > the one the request is destined.This is normal behaviour. On a server with multiple interfaces and addresses, it is best if you explicitly specify all the addresses to which NSD should bind. Regards, Anand Buddhdev RIPE NCC -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 898 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20171213/442dcc1f/attachment.bin>
Alarig Le Lay
2017-Dec-13 09:37 UTC
[nsd-users] Wrong source IP for reply if 'ip-address' is not specified
Hi Anand, On mer. 13 d?c. 10:23:54 2017, Anand Buddhdev wrote:> On 13/12/2017 10:01, Alarig Le Lay wrote: > > Hi Alarig, > > > If I don?t specify the IP addresses on which NSD should bind, the IP > > address used for the reply is the one attached to interface instead of > > the one the request is destined. > > This is normal behaviour. On a server with multiple interfaces and > addresses, it is best if you explicitly specify all the addresses to > which NSD should bind. > > Regards, > Anand Buddhdev > RIPE NCC >Thanks for your clarification, I will add a note to my article then. -- alarig -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20171213/ca54b356/attachment.bin>
Paul Wouters
2017-Dec-13 21:26 UTC
[nsd-users] Wrong source IP for reply if 'ip-address' is not specified
On Wed, 13 Dec 2017, Anand Buddhdev wrote:>> If I don?t specify the IP addresses on which NSD should bind, the IP >> address used for the reply is the one attached to interface instead of >> the one the request is destined. > > This is normal behaviour. On a server with multiple interfaces and > addresses, it is best if you explicitly specify all the addresses to > which NSD should bind.We have a different opinion on what is "normal behaviour". I believe the normal behaviour is to reply using the IP address you received the packet from, eg using: err = setsockopt(s, SOL_IP, IP_PKTINFO, &opt, sizeof(opt)); or err = setsockopt(s, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)); For example: https://github.com/libreswan/libreswan/blob/master/programs/pluto/udpfromto.c I assumed nsd would do this.... Paul