Date: Mon, 27 May 2002 23:57:36 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: stable@freebsd.org Subject: Re: 4.6-PRERELASE fxp alias woes Message-ID: <20020527235736.S1494@shell.gsinet.sittig.org> In-Reply-To: <19769.1022443789@verdi.nethelp.no>; from sthaug@nethelp.no on Sun, May 26, 2002 at 10:09:49PM %2B0200 References: <20020526105404.Q1494@shell.gsinet.sittig.org> <19769.1022443789@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
[ can you *please* leave the attribution intact? it's hard to
recognize after your reply who said what when. this can cause
bad blood, but at least easily leads to misunderstandings after
a few turnarounds or should more people be involved than two. ]
On Sun, May 26, 2002 at 22:09 +0200, sthaug@nethelp.no wrote:
>
> > [ ... ifconfig(8) enforces correct netmasks for aliases ... ]
> >
> > Well, right after sending my first reply I felt that I should
> > have put an example in it. :) Imagine the following setup:
> >
> > ifconfig_fxp0=" inet 192.168.20.120 netmask 255.255.255.0"
> > ifconfig_fxp0_alias0="inet 192.168.30.130 netmask 255.255.255.255"
> >
> > Of course a program can detect that these values "don't fit". But
> > how do you determine if the alias entry's address is wrong or the
> > netmask? Only an admin can, looking at the local topology. Not
> > even human spectators can decide which of the parameters needs
> > correction.
>
> *Why* should the program try to guess anything at all? Only if the
> configuration lines are in conflict should the program try to do
> something - otherwise it should assume that the values are correct.
>
> In this case, 192.168.20.120/24 as the primary address and
> 192.168.30.130/32 as an alias are perfectly fine. No conflict, no
> reason for ifconfig (or the kernel) to try to guess anything.
Excuse me? 192.168.30.130/32 is _not_ inside the 192.168.20.120/24
subnet and thus "something" is wrong here. And a machine (as well
as any human spectator not familiar with the local topology) has a
rather hard time to see which of the two parameters -- address and
netmask -- is wrongly specified.
> [ ... ]
>
> How do the rules I proposed prevent this example? I wrote:
>
> > Very simple. Allow the same netmask as the primary address, *and* /32.
> > Nothing else.
> ...
> > For other subnets (not on the same subnet as the primary address): Let
> > the first alias decide the netmask, complain if further aliases within
> > the same subnet (as specified by the alias of the first netmask) use a
> > different netmask (but allow /32).
But isn't this exactly what the program currently enforces and
what makes people wonder why their previously already broken
setup "suddenly" gets rejected?
BTW do I understand it to be a little wider: The primary config
wants aliases within the same subnet to have a /32 netmask. Plus
should further aliases introduce more subnets all subsequent
aliases inside these subnets should have a /32 netmask, too. ISTR
that the manpage words it this way that one has to provide "non
conflicting netmasks" for the aliases.
[ I get the feeling we both expect the same thing from a machine and
the ifconfig(8) behaviour is fine to most of us and the "discussion"
in this thread is simply a misunderstanding or too quick reading ... ]
> [ ... ]
>
> A further point is that having addresses on the same subnet all use the
> same netmask is more natural than using /32 for the aliases, if you've
> never used an alias before. Having to use /32 breaks POLA.
Yes, I believed this before, too. :) But as long as the current
status is consistent in itself and well documented (I found
references on my 4.3-STABLE system in the ifconfig(8) and
rc.conf(5) manpages as well as /etc/defaults/rc.conf examples,
all within one minute by using the pager's search facility) I
don't have a problem with it. Actually a well defined and known
behaviour is better than any "would be nice to have". :] I don't
know if anybody is keen enough on non /32 netmasks for the aliases
to produce a patch.
And no, I have a hard time to come up with any more complex or
"more intelligent" algorithm than what is currently implemented.
Neither would I like to. Any kind of DWIM makes me dizzy when I
communicate to computers (actually: try to control them). I'd
rather get an error message and a chance to correct things than
have a fuzzy method jump in and try to interpret what I wanted
to do. That's why I keep away from DOS machines.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020527235736.S1494>