LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: Nebojsa Miljanovic <neb@alcatel-lucent.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
	linux-kernel@vger.kernel.org, "Kittlitz,
	Edward (Ned)" <nkittlitz@alcatel-lucent.com>,
	asweeney@alcatel-lucent.com, "Polhemus,
	William (Bart)" <bpolhemus@alcatel-lucent.com>
Subject: Re: SO_REUSEADDR not allowing server and client to use same port
Date: Tue, 18 Mar 2008 06:48:19 +0100	[thread overview]
Message-ID: <20080318054819.GE13012@1wt.eu> (raw)
In-Reply-To: <47DEB5B9.4030905@alcatel-lucent.com>

On Mon, Mar 17, 2008 at 01:17:29PM -0500, Nebojsa Miljanovic wrote:
> OK. I see. So, it would have to be some malicious application running together
> with the server (i.e. on the same CPU). I do see now why you said it would be
> very very hard to make this happen.
> 
> Still, it would be nice to introduce SO_REUSEPORT socket options so secure
> servers (who happen to be clients as well) can re-use ports when necessary.
> 
> Another option would be to check if port re-use is happening inside same
> application and allow it. That may make half of the folks happy, so I am not
> sure if I like it as much as I like SO_REUSEPORT option.

It is most often useful for hot-restart without interrupting service.
As an example, when I update a config in haproxy, I restart a new instance
which does everything and binds to the ports, and then signals the old one
it may go. That way, there is a complete continuity of service. This is
possible by default on *BSD, and with a (very) little patch on linux.

And I agree with Alan about the security implications. If a service binds
itself with SO_REUSEPORT, it definitely says "I agree to share my connection".
So this is not to be used by default in any random application. But for
servers, it's really useful.

Willy


  reply	other threads:[~2008-03-18  5:51 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-28 18:15 Nebojsa Miljanovic
2008-02-28 18:30 ` Phil Oester
2008-02-28 20:19 ` Alan Cox
2008-02-28 20:41   ` Willy Tarreau
2008-03-13 19:18   ` Nebojsa Miljanovic
2008-03-15 13:34     ` Alan Cox
2008-03-17 16:43       ` Nebojsa Miljanovic
2008-03-17 17:30         ` Alan Cox
2008-03-17 18:17           ` Nebojsa Miljanovic
2008-03-18  5:48             ` Willy Tarreau [this message]
2008-02-28 20:36 ` Willy Tarreau
2008-02-28 20:44   ` Nebojsa Miljanovic

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080318054819.GE13012@1wt.eu \
    --to=w@1wt.eu \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=asweeney@alcatel-lucent.com \
    --cc=bpolhemus@alcatel-lucent.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=neb@alcatel-lucent.com \
    --cc=nkittlitz@alcatel-lucent.com \
    --subject='Re: SO_REUSEADDR not allowing server and client to use same port' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).