#27 Allow specifying network interface for outgoing connections
Reporter
MattJ
Owner
MattJ
Created
Updated
Stars
★ (1)
Tags
Type-Enhancement
Component-Network
Status-Accepted
Priority-Medium
MattJ
on
This should probably be per-host.
MattJ
on
Changes
tagsType-Defect Type-Enhancement
MattJ
on
Old bug, I don't think I've seen requests for this any time recently. Closing.
Changes
tagStatus-WontFix
Daniel Kenzelmann
on
Please implement this feature, it should be possible to specify the interface for outgoing connections.
current setup explaining the need for this:
Homeserver has internet connectivity which has a dynamic (changing every 24h) IP address assignment.
An OpenVPN tunnel is created to a vServer with 2 public IPv4 addresses of which 1 is assigned to the homeserver.
Traffic is routed from the vServer to the homeserver via the OpenVPN connection to the public vServer IP address which is present on the homeserver on a TUN interface.
Returning packets coming FROM that vServer IP on the homeserver (i.e. answering packets to requests that came in through the tunnel) are routed back into the tunnel using policy routing based on the source IP address.
This setup means that by default all outbound connections from the homeserver are using the dynamic address and connections to the vServer IP using the tunnel are returned using this tunnel. This setup works very well for all services that listen for connections and allows the server to present a fixed IP to the public internet no matter how the connectivity to the homeserver is actually provided.
However, prosody will also initiate outbound connections to connect to other servers via s2s. Here we would need a possibility to specify the vServer IPs (IPv4 and IPv6) or network interface that should be used for outbound connections.
This functionality is present for other software that initiates outbound connections (e.g. exim, asterisk, etc)
I investigated using policy routing with marking packets based on the process owner, however this has other issues (source IP address translation required, etc basically requiring a complex NAT-configuration and all in all just being way to complex for this basic feature, also depending on the content of the s2s packets this might still contain the wrong IP somewhere in the payload...)
I tried to grok the logic in the lua files, however it's not entirely clear where the outbound connections are made and if I am missing any instance.
If anyone familiar with the code could just point me to the locations where the connect for outbound connections is done I'd try to come up with a patch incorporating the functionality above...
This should probably be per-host.
Type-DefectType-EnhancementOld bug, I don't think I've seen requests for this any time recently. Closing.
ChangesPlease implement this feature, it should be possible to specify the interface for outgoing connections. current setup explaining the need for this: Homeserver has internet connectivity which has a dynamic (changing every 24h) IP address assignment. An OpenVPN tunnel is created to a vServer with 2 public IPv4 addresses of which 1 is assigned to the homeserver. Traffic is routed from the vServer to the homeserver via the OpenVPN connection to the public vServer IP address which is present on the homeserver on a TUN interface. Returning packets coming FROM that vServer IP on the homeserver (i.e. answering packets to requests that came in through the tunnel) are routed back into the tunnel using policy routing based on the source IP address. This setup means that by default all outbound connections from the homeserver are using the dynamic address and connections to the vServer IP using the tunnel are returned using this tunnel. This setup works very well for all services that listen for connections and allows the server to present a fixed IP to the public internet no matter how the connectivity to the homeserver is actually provided. However, prosody will also initiate outbound connections to connect to other servers via s2s. Here we would need a possibility to specify the vServer IPs (IPv4 and IPv6) or network interface that should be used for outbound connections. This functionality is present for other software that initiates outbound connections (e.g. exim, asterisk, etc) I investigated using policy routing with marking packets based on the process owner, however this has other issues (source IP address translation required, etc basically requiring a complex NAT-configuration and all in all just being way to complex for this basic feature, also depending on the content of the s2s packets this might still contain the wrong IP somewhere in the payload...)
Ideally the functionality should be analogous to the exim "interface" configuration option. Basically specifying multiple IPs (IPv4, IPv6) and the first usable/matching is used: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html
I tried to grok the logic in the lua files, however it's not entirely clear where the outbound connections are made and if I am missing any instance. If anyone familiar with the code could just point me to the locations where the connect for outbound connections is done I'd try to come up with a patch incorporating the functionality above...
Outbound s2s connections are created here: https://hg.prosody.im/trunk/file/84916bbe5985/plugins/mod_s2s/s2sout.lib.lua#l274 It should be using the net.server.addclient() API, but it's using luasocket directly for some reason. The code for this is in net/server_*.lua depending on which network_backend is selected. https://hg.prosody.im/trunk/file/tip/net At some point in the future, it will likely be the responsibility of the new net.connect https://hg.prosody.im/trunk/file/tip/net/connect.lua Currently only HTTP connections are handled by net.connect.
Yeah, net.connect is our attempt to get all outgoing connection logic into a single place in the code. The s2s code is next on the list :)