Erlang集群未公开特性:IP网段限制
October 1st, 2011
原创文章,转载请注明: 转载自系统技术非业余研究
本文链接地址: Erlang集群未公开特性:IP网段限制
Erlang集群二个节点之间的通讯是通过一个tcp长连接进行的,而且是全联通的,一旦cookie论证通过了,任何一个节点就获得全集群的访问权,可以参考Erlang分布的核心技术浅析
。erlang的这个授权模式特定搞的这么简单,但是在实际使用中还是有安全性的问题。我们退而求其次,来个IP网段限制,这个功能Erlang是有的只是没有文档化。
我们来看下代码:
inet_tcp_dist.erl:L157
do_accept(Kernel, AcceptPid, Socket, MyNode, Allowed, SetupTime) -> receive {AcceptPid, controller} -> Timer = dist_util:start_timer(SetupTime), case check_ip(Socket) of true -> ... dist_util:handshake_other_started(HSData); {false,IP} -> error_msg("** Connection attempt from " "disallowed IP ~w ** ~n", [IP]), ?shutdown(no_node) end end. %% ------------------------------------------------------------ check_ip(Socket) -> case application:get_env(check_ip) of {ok, true} -> case get_ifs(Socket) of {ok, IFs, IP} -> check_ip(IFs, IP); _ -> ?shutdown(no_node) end; _ -> true end. get_ifs(Socket) -> case inet:peername(Socket) of {ok, {IP, _}} -> case inet:getif(Socket) of {ok, IFs} -> {ok, IFs, IP}; Error -> Error end; Error -> Error end. check_ip([{OwnIP, _, Netmask}|IFs], PeerIP) -> case {mask(Netmask, PeerIP), mask(Netmask, OwnIP)} of {M, M} -> true; _ -> check_ip(IFs, PeerIP) end; check_ip([], PeerIP) -> {false, PeerIP}. mask({M1,M2,M3,M4}, {IP1,IP2,IP3,IP4}) -> {M1 band IP1, M2 band IP2, M3 band IP3, M4 band IP4}.
这个功能可以用-kernel check_ip true打开。
接着我们来实验下,在其中一个终端开:
$ erl -kernel check_ip true -name x@127.0.0.1 Erlang R14B04 (erts-5.8.5) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false] Eshell V5.8.5 (abort with ^G) (x@127.0.0.1)1> dbg:tracer(). {ok,<0.39.0>} (x@127.0.0.1)2> dbg:p(all,c). {ok,[{matched,'x@127.0.0.1',32}]} (x@127.0.0.1)3> dbg:tpl(inet_tcp_dist,check_ip, [{'_', [], [{return_trace}]}]). {ok,[{matched,'x@127.0.0.1',2},{saved,1}]} (x@127.0.0.1)4> dbg:tpl(inet_tcp_dist,check_ip, [{'_', [], [{return_trace}]}])(<0.44.0>) call inet_tcp_dist:check_ip(#Port<0.623>) (<0.44.0>) call inet_tcp_dist:check_ip([{{172,16,64,1},{172,16,64,255},{255,255,255,0}}, {{172,16,213,1},{172,16,213,255},{255,255,255,0}}, {{192,168,1,3},{192,168,1,255},{255,255,255,0}}, {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1}) (<0.44.0>) call inet_tcp_dist:check_ip([{{172,16,213,1},{172,16,213,255},{255,255,255,0}}, {{192,168,1,3},{192,168,1,255},{255,255,255,0}}, {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1}) (<0.44.0>) call inet_tcp_dist:check_ip([{{192,168,1,3},{192,168,1,255},{255,255,255,0}}, {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1}) (<0.44.0>) call inet_tcp_dist:check_ip([{{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1}) (<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true (<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true (<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true (<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true (<0.44.0>) returned from inet_tcp_dist:check_ip/1 -> true
在另外一个终端开:
$ erl -name y@127.0.0.1 Erlang R14B04 (erts-5.8.5) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false] Eshell V5.8.5 (abort with ^G) (y@127.0.0.1)1> net_adm:ping('x@127.0.0.1'). pong (y@127.0.0.1)2>
通过跟踪我们确诊这个功能被打开了,而且在作用。如果没通过IP限制,SASL下会得到如下提示:
** Connection attempt from disallowed IP ~w **。
祝大家玩得开心,集群得安全!
Post Footer automatically generated by wp-posturl plugin for wordpress.
Recent Comments