HPE Community
Operating System - HP-UX
1820474 Members
3326 Online
109624 Solutions
New Discussion юеВ

MC SG and package network address

 
Andrei Petrov
Advisor

тАО10-15-2002 02:26 AM

тАО10-15-2002 02:26 AM

MC SG and package network address

Hi,

I've got a MC/SG cluster and a package running on it. Nodes have addresses 1.1.1.2 and 1.1.1.3. Package has address 1.1.1.10.

#netstat -ni
lan1:1 1500 1.1.1.0 1.1.1.10
lan1 1500 1.1.1.0 1.1.1.2

when I add a route I need it looks like

#netstat -nr
9.2.4.10 1.1.1.13 UGH 0 lan1 0

I have to make this package accesible through the router with source address filtering.
But ip-packets come to the firewall with lan1 (1.1.1.2) source address. Sure, I should keep the package accessible after package switch. The easiest solution I've found is to add second node in the router allow-list. Well, it works but is it possible to configure route through lan1:1 and send package address as a source address in the packet to be sure that incoming packets can't reach node when package is not running on it?

0 Kudos
Reply
2 REPLIES 2
John Palmer
Honored Contributor

тАО10-15-2002 03:07 AM

тАО10-15-2002 03:07 AM

Re: MC SG and package network address

Hi,

This is an application issue and is down to the way the app binds to an IP address.

Many apps e.g. Apache, Oracle listener etc can be configured to bind to the service address and outgoing packets will have the service address as the source.

Standard apps (such as ftpd etc) bind to the general non-specific address INADDR_ANY. Outgoing packets from these will have the lanx:0 address as the source.

You can check the binding with netstat -an|grep ".*LISTEN" - an *. indicates that it's bound to INADDR_ANY.

Regards,
John
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

тАО10-15-2002 04:25 AM

тАО10-15-2002 04:25 AM

Re: MC SG and package network address

It is correct that outgoing traffic of applications which bind() to INADDR_ANY is usually not going through the relocatable IP address... instead it usually uses the stationary IP as source IP address.

But only usually. In fact, beginning with HP-UX 10.30 it is the routing table that determines the outgoing interface.

By adding host routes through your relocatable IP you can easily force specific outgoing traffice to use it. You could also remove the routes through the stationary IP. Of course it needs to be re-added when the relocatable adress is removed during package halt.

But you need to be careful! It is a MUST not to change any route used by heartbeat traffic!

To honest, I would definitely prefer a longer "allow-list" instead of playing around with the routing.

Regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.