Re: corosync udpu mystery ports

Jan Friesse <jfriesse@xxxxxxxxxx> · Mon, 14 May 2012 17:47:51 +0200

Bryan,
these ports are used only for sending so they don't need to be opened 
for incoming packets (only for outgoing). If this is problem (you have 
security rules to block also incoming packets) we can probably use only 
one socket.

Honza

Bryan Bartone napsal(a):
Thanks for the reply.  Is there any way to predict what additional ports will be opened?   Without that, we would be forced to have a more open firewall policy than we would like?  Another solution would be to make the opening of additional ports an feature we could turn off.

-----Original Message-----
From: Steven Dake [mailto:sdake@xxxxxxxxxx]
Sent: Monday, May 14, 2012 9:24 AM
To: Bryan Bartone
Cc: discuss@xxxxxxxxxxxx
Subject: Re:  corosync udpu mystery ports

On 05/08/2012 07:22 AM, Bryan Bartone wrote:
Hi Steven -

Thanks for the response.   These are definitely not unix domain sockets:

udp        0      0 0.0.0.0:60174               0.0.0.0:*                               16198/corosync
udp        0      0 0.0.0.0:49193               0.0.0.0:*                               16198/corosync
udp        0      0 192.168.40.19:694           0.0.0.0:*                               16198/corosync
udp        0      0 192.168.10.19:694           0.0.0.0:*                               16198/corosync
udp        0      0 0.0.0.0:34366               0.0.0.0:*                               16198/corosync
udp        0      0 0.0.0.0:35409               0.0.0.0:*                               16198/corosync

Here is the related  corosync config section:

interface {
         member {
                 memberaddr: 192.168.10.20
         }
         member {
                 memberaddr: 192.168.10.19
         }
         ringnumber: 0
         bindnetaddr: 192.168.10.0
         mcastport: 694
         ttl: 1
}
interface {
         member {
                 memberaddr: 192.168.40.220
         }
         member {
                 memberaddr: 192.168.40.19
         }
         ringnumber: 1
         bindnetaddr: 192.168.40.0
         mcastport: 694
         ttl: 1
}
transport: udpu
rrp_mode: passive

-----Original Message-----
From: Steven Dake [mailto:sdake@xxxxxxxxxx]
Sent: Tuesday, May 01, 2012 11:22 AM
To: Bryan Bartone
Cc: discuss@xxxxxxxxxxxx
Subject: Re:  corosync udpu mystery ports

On 05/01/2012 08:10 AM, Bryan Bartone wrote:
First, thanks for taking the time to read this email.  I am using
corosync and pacemaker on a security appliance we manufacture.  I am
running udpu mode.  I see that for each interface I define, there is
a udp listening socket using the mcastport I defined in corosync.conf
and two other ephemeral listening ports.  The mcastaddr port is bound
to the interface I defined in corosync.conf.  The ephemeral ports are bound to
all interfaces.   I would like to know what the purpose of those ports
are, and why they are bound to 0.0.0.0.  Thanks.

Thanks to Honza for sorting this out:

UDPU mode creates a socket descriptor per node in the configuration.
The reason it does this is to avoid overloading one socket file descriptor under heavy load conditions.  I believe the bug you see is that these sockets _should_ be bound to the bindnetaddr, rather then ANY.

Regards
-steve

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss

Probably a bug (udpu is a new feature).  There should be one port for incoming packets and one port for outgoing packets, all bound to the proper interface.  One of the listening ports may be a unix domain socke (used to setup shared memory ipc)t, are you sure that isn't the case?

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss