Home > Erlang探索 > Erlang集群未公开特性:IP网段限制

Erlang集群未公开特性:IP网段限制

October 1st, 2011

原创文章,转载请注明: 转载自系统技术非业余研究

本文链接地址: Erlang集群未公开特性:IP网段限制

Erlang集群二个节点之间的通讯是通过一个tcp长连接进行的,而且是全联通的,一旦cookie论证通过了,任何一个节点就获得全集群的访问权,可以参考Erlang分布的核心技术浅析
。erlang的这个授权模式特定搞的这么简单,但是在实际使用中还是有安全性的问题。我们退而求其次,来个IP网段限制,这个功能Erlang是有的只是没有文档化。

我们来看下代码:
inet_tcp_dist.erl:L157

do_accept(Kernel, AcceptPid, Socket, MyNode, Allowed, SetupTime) ->
    receive
        {AcceptPid, controller} ->
            Timer = dist_util:start_timer(SetupTime),
            case check_ip(Socket) of
                true ->
                   ...
                   dist_util:handshake_other_started(HSData);
                {false,IP} ->
                    error_msg("** Connection attempt from "
                              "disallowed IP ~w ** ~n", [IP]),
                    ?shutdown(no_node)
            end
    end.


%% ------------------------------------------------------------                                                             
check_ip(Socket) ->
    case application:get_env(check_ip) of
        {ok, true} ->
            case get_ifs(Socket) of
                {ok, IFs, IP} ->
                    check_ip(IFs, IP);
                _ ->
                    ?shutdown(no_node)
            end;
        _ ->
            true
    end.

get_ifs(Socket) ->
    case inet:peername(Socket) of
        {ok, {IP, _}} ->
            case inet:getif(Socket) of
                {ok, IFs} -> {ok, IFs, IP};
                Error     -> Error
            end;
        Error ->
            Error
    end.
check_ip([{OwnIP, _, Netmask}|IFs], PeerIP) ->
    case {mask(Netmask, PeerIP), mask(Netmask, OwnIP)} of
        {M, M} -> true;
        _      -> check_ip(IFs, PeerIP)
    end;
check_ip([], PeerIP) ->
    {false, PeerIP}.

mask({M1,M2,M3,M4}, {IP1,IP2,IP3,IP4}) ->
    {M1 band IP1,
     M2 band IP2,
     M3 band IP3,
     M4 band IP4}.

这个功能可以用-kernel check_ip true打开。
接着我们来实验下,在其中一个终端开:

$ erl -kernel check_ip true -name x@127.0.0.1
Erlang R14B04 (erts-5.8.5) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]

Eshell V5.8.5  (abort with ^G)
(x@127.0.0.1)1> dbg:tracer().
{ok,<0.39.0>}
(x@127.0.0.1)2> dbg:p(all,c).
{ok,[{matched,'x@127.0.0.1',32}]}
(x@127.0.0.1)3> dbg:tpl(inet_tcp_dist,check_ip, [{'_', [], [{return_trace}]}]).
{ok,[{matched,'x@127.0.0.1',2},{saved,1}]}
(x@127.0.0.1)4> dbg:tpl(inet_tcp_dist,check_ip, [{'_', [], [{return_trace}]}])(<0.44.0>) call inet_tcp_dist:check_ip(#Port<0.623>)
(<0.44.0>) call inet_tcp_dist:check_ip([{{172,16,64,1},{172,16,64,255},{255,255,255,0}},
 {{172,16,213,1},{172,16,213,255},{255,255,255,0}},
 {{192,168,1,3},{192,168,1,255},{255,255,255,0}},
 {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) call inet_tcp_dist:check_ip([{{172,16,213,1},{172,16,213,255},{255,255,255,0}},
 {{192,168,1,3},{192,168,1,255},{255,255,255,0}},
 {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) call inet_tcp_dist:check_ip([{{192,168,1,3},{192,168,1,255},{255,255,255,0}},
 {{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) call inet_tcp_dist:check_ip([{{127,0,0,1},undefined,{255,0,0,0}}],{127,0,0,1})
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/2 -> true
(<0.44.0>) returned from inet_tcp_dist:check_ip/1 -> true

在另外一个终端开:

$ erl -name y@127.0.0.1
Erlang R14B04 (erts-5.8.5) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]

Eshell V5.8.5  (abort with ^G)
(y@127.0.0.1)1> net_adm:ping('x@127.0.0.1').
pong
(y@127.0.0.1)2> 

通过跟踪我们确诊这个功能被打开了,而且在作用。如果没通过IP限制,SASL下会得到如下提示:
** Connection attempt from disallowed IP ~w **。

祝大家玩得开心,集群得安全!

Post Footer automatically generated by wp-posturl plugin for wordpress.

  1. No comments yet.
Comments are closed.