Erlang集群未公开特性：IP网段限制

Home > Erlang探索 > Erlang集群未公开特性：IP网段限制

October 1st, 2011 Yu Feng

原创文章，转载请注明： 转载自系统技术非业余研究

Erlang集群二个节点之间的通讯是通过一个tcp长连接进行的，而且是全联通的，一旦cookie论证通过了，任何一个节点就获得全集群的访问权，可以参考Erlang分布的核心技术浅析
。erlang的这个授权模式特定搞的这么简单，但是在实际使用中还是有安全性的问题。我们退而求其次，来个IP网段限制，这个功能Erlang是有的只是没有文档化。

我们来看下代码:
inet_tcp_dist.erl:L157

do_accept(Kernel, AcceptPid, Socket, MyNode, Allowed, SetupTime) ->
    receive
        {AcceptPid, controller} ->
            Timer = dist_util:start_timer(SetupTime),
            case check_ip(Socket) of
                true ->
                   ...
                   dist_util:handshake_other_started(HSData);
                {false,IP} ->
                    error_msg("** Connection attempt from "
                              "disallowed IP ~w ** ~n", [IP]),
                    ?shutdown(no_node)
            end
    end.
 
 
%% ------------------------------------------------------------                                                             
check_ip(Socket) ->
    case application:get_env(check_ip) of
        {ok, true} ->
            case get_ifs(Socket) of
                {ok, IFs, IP} ->
                    check_ip(IFs, IP);
                _ ->
                    ?shutdown(no_node)
            end;
        _ ->
            true
    end.
 
get_ifs(Socket) ->
    case inet:peername(Socket) of
        {ok, {IP, _}} ->
            case inet:getif(Socket) of
                {ok, IFs} -> {ok, IFs, IP};
                Error     -> Error
            end;
        Error ->
            Error
    end.
check_ip([{OwnIP, _, Netmask}|IFs], PeerIP) ->
    case {mask(Netmask, PeerIP), mask(Netmask, OwnIP)} of
        {M, M} -> true;
        _      -> check_ip(IFs, PeerIP)
    end;
check_ip([], PeerIP) ->
    {false, PeerIP}.
 
mask({M1,M2,M3,M4}, {IP1,IP2,IP3,IP4}) ->
    {M1 band IP1,
     M2 band IP2,
     M3 band IP3,
     M4 band IP4}.

这个功能可以用-kernel check_ip true打开。
接着我们来实验下，在其中一个终端开：

$ erl -kernel check_ip true -name x@127.0.0.1
Erlang R14B04 (erts-5.8.5) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]
 
Eshell V5.8.5  (abort with ^G)
(x@127.0.0.1)1> dbg:tracer().
{ok,<0.39.0>}
(x@127.0.0.1)2> dbg:p(all,c).
{ok,[{matched,'x@127.0.0.1',32}]}
(x@127.0.0.1)3> dbg:tpl(inet_tcp_dist,check_ip, [{'_', [], [{return_trace}]}]).
{ok,[{matched,'x@127.0.0.1',2},{saved,1}]}
(x@127.0.0.1)4> dbg:tpl(inet_tcp_dist,check_ip, [{'_', [], [{return_trace}]}])(<0.44.0>) call inet_tcp_dist:check_ip(#Port<0.623>)
(<0.44.0>) call inet_tcp_dist:check_ip([{{172,16,64,1},{172,16,64,255},{255,255,255,0}},
 {{172,16,213,1},{172,16,213,255},{255,255,255,0}},
 {{192,168,1,3},{192,168,1,255},{255,255,255,0}},
 {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) call inet_tcp_dist:check_ip([{{172,16,213,1},{172,16,213,255},{255,255,255,0}},
 {{192,168,1,3},{192,168,1,255},{255,255,255,0}},
 {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) call inet_tcp_dist:check_ip([{{192,168,1,3},{192,168,1,255},{255,255,255,0}},
 {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) call inet_tcp_dist:check_ip([{{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/1 -> true

在另外一个终端开：

$ erl -name y@127.0.0.1
Erlang R14B04 (erts-5.8.5) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]
 
Eshell V5.8.5  (abort with ^G)
(y@127.0.0.1)1> net_adm:ping('x@127.0.0.1').
pong
(y@127.0.0.1)2> 

通过跟踪我们确诊这个功能被打开了，而且在作用。如果没通过IP限制，SASL下会得到如下提示：
** Connection attempt from disallowed IP ~w **。

祝大家玩得开心，集群得安全！

Post Footer automatically generated by wp-posturl plugin for wordpress.

Categories: Erlang探索 Tags: checkip, inet_tcp_dist, kernel

Comments (0)

No comments yet.

Comments are closed.

gen_tcp发送进程被挂起起因分析及对策 Erlang集群自动化添加节点指南

系统技术非业余研究