Date: Mon, 27 May 2002 23:57:36 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: stable@freebsd.org Subject: Re: 4.6-PRERELASE fxp alias woes Message-ID: <20020527235736.S1494@shell.gsinet.sittig.org> In-Reply-To: <19769.1022443789@verdi.nethelp.no>; from sthaug@nethelp.no on Sun, May 26, 2002 at 10:09:49PM %2B0200 References: <20020526105404.Q1494@shell.gsinet.sittig.org> <19769.1022443789@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
[ can you *please* leave the attribution intact? it's hard to recognize after your reply who said what when. this can cause bad blood, but at least easily leads to misunderstandings after a few turnarounds or should more people be involved than two. ] On Sun, May 26, 2002 at 22:09 +0200, sthaug@nethelp.no wrote: > > > [ ... ifconfig(8) enforces correct netmasks for aliases ... ] > > > > Well, right after sending my first reply I felt that I should > > have put an example in it. :) Imagine the following setup: > > > > ifconfig_fxp0=" inet 192.168.20.120 netmask 255.255.255.0" > > ifconfig_fxp0_alias0="inet 192.168.30.130 netmask 255.255.255.255" > > > > Of course a program can detect that these values "don't fit". But > > how do you determine if the alias entry's address is wrong or the > > netmask? Only an admin can, looking at the local topology. Not > > even human spectators can decide which of the parameters needs > > correction. > > *Why* should the program try to guess anything at all? Only if the > configuration lines are in conflict should the program try to do > something - otherwise it should assume that the values are correct. > > In this case, 192.168.20.120/24 as the primary address and > 192.168.30.130/32 as an alias are perfectly fine. No conflict, no > reason for ifconfig (or the kernel) to try to guess anything. Excuse me? 192.168.30.130/32 is _not_ inside the 192.168.20.120/24 subnet and thus "something" is wrong here. And a machine (as well as any human spectator not familiar with the local topology) has a rather hard time to see which of the two parameters -- address and netmask -- is wrongly specified. > [ ... ] > > How do the rules I proposed prevent this example? I wrote: > > > Very simple. Allow the same netmask as the primary address, *and* /32. > > Nothing else. > ... > > For other subnets (not on the same subnet as the primary address): Let > > the first alias decide the netmask, complain if further aliases within > > the same subnet (as specified by the alias of the first netmask) use a > > different netmask (but allow /32). But isn't this exactly what the program currently enforces and what makes people wonder why their previously already broken setup "suddenly" gets rejected? BTW do I understand it to be a little wider: The primary config wants aliases within the same subnet to have a /32 netmask. Plus should further aliases introduce more subnets all subsequent aliases inside these subnets should have a /32 netmask, too. ISTR that the manpage words it this way that one has to provide "non conflicting netmasks" for the aliases. [ I get the feeling we both expect the same thing from a machine and the ifconfig(8) behaviour is fine to most of us and the "discussion" in this thread is simply a misunderstanding or too quick reading ... ] > [ ... ] > > A further point is that having addresses on the same subnet all use the > same netmask is more natural than using /32 for the aliases, if you've > never used an alias before. Having to use /32 breaks POLA. Yes, I believed this before, too. :) But as long as the current status is consistent in itself and well documented (I found references on my 4.3-STABLE system in the ifconfig(8) and rc.conf(5) manpages as well as /etc/defaults/rc.conf examples, all within one minute by using the pager's search facility) I don't have a problem with it. Actually a well defined and known behaviour is better than any "would be nice to have". :] I don't know if anybody is keen enough on non /32 netmasks for the aliases to produce a patch. And no, I have a hard time to come up with any more complex or "more intelligent" algorithm than what is currently implemented. Neither would I like to. Any kind of DWIM makes me dizzy when I communicate to computers (actually: try to control them). I'd rather get an error message and a chance to correct things than have a fuzzy method jump in and try to interpret what I wanted to do. That's why I keep away from DOS machines. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020527235736.S1494>