[AG-TECH] Static Unicast Ports - diffs

Todd Zimmerman toddz at sfu.ca
Fri Jun 8 15:03:44 CDT 2007 

The diffs...
/usr/bin/Bridge (AG3)
/usr/bin/BridgeServer.py (AG2)

Todd Zimmerman wrote:
> Within WestGrid, we have a need to have static unicast ports for venues so that firewall
> administrators can limit the ports required to be opened for AG usage.  Assigning static multicast
> ports is easy; however, assigning static unicast ports is not.
> 
> I thought I'd post to the list the small hacks I've implemented to achieve static unicast ports on
> our Venueserver/Bridgeservers.
> 
> For background, WestGrid utilizes static multicast addresses from the Netera Alliance glop space
> (233.59.192.x) which we have authorization to use.  We also use a port numbering convention that
> utilizes ports in the range of 60500 - 60800 for these multicast addresses/venues.  For static
> unicast ports, we have use a 'multicast port - 10000' convention - so our unicast range is 50500 -
> 50800.
> 
> For AG3 bridging, we still want to offer the bridge to users not using the WestGrid Venueserver - so
> I start the bridge giving a range of usable ports outside of our statically used range
> (55000-57000).  I then added a check in /usr/bin/Bridge to statically assign WestGrid venues while
> leaving non-WestGrid venues to be assigned within the range assigned above.
> 
> Disclaimer - I am not a doctor nor do I play one on TV.  I'm not sure if there are any side effects
> to using this hack - so don't blame me if something breaks ;-)  To use this hack you'll need access
> to a multicast glop space and you need to make sure your static port range will not collide with
> your non-static port range since all checks are bypassed.
> 
> This is the code I added at line 59 of /usr/bin/Bridge - just after the 'uaddr =
> SystemConfig.instance().GetHostname()' line:
> 
> 
> uport = None
> if mnl["host"].startswith( "233.59.192" ):
>    uport = mnl["port"] - 10000;
> 
> Then changed lines 64/65 from:
> 
> retBridge = self.bridgeFactory.CreateBridge(id=mnl["id"], maddr=mnl["host"], mport=mnl["port"],
> mttl=mnl["ttl"], uaddr=uaddr,uport=none)
> 
> to
> 
> retBridge = self.bridgeFactory.CreateBridge(id=mnl["id"], maddr=mnl["host"], mport=mnl["port"],
> mttl=mnl["ttl"], uaddr=uaddr,uport=uport)
> 
> 
> For AG2.4, the hack was easier since we were only bridging our own venueserer - so we didn't have to
> worry about setting up bridges outside of our range.  I added the following at line 560 (just after
> 'uport = 0' in __AddBridge:
> 
> uport = streamDesc.location.port - 10000;
> 
> I then commented out the proceeding lines 561-571 (the port allocation part) since we no longer need
> to allocate ports.
> 
> I've attached diffs for anyone interested.  These hacks are just that - hacks and I wouldn't
> recommend using them; however I know other people are in the same circumstance as WestGrid and need
> to limit port usage for security administrators.  If anyone has any thoughts ideas on how best to
> implement these in a better/more practical and configurable way I'd be interested to hear (I suppose
> we could add a static bridge section to the bridge config file  etc.) and perhaps I could look at
> coding something up for inclusion in the main source.
> 
> Cheers,
> 
> Todd
> 
> 
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Bridge.diff
Type: text/x-patch
Size: 424 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20070608/c9ed2411/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BridgeServer.py.diff
Type: text/x-patch
Size: 126 bytes
Desc: not available
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20070608/c9ed2411/attachment-0001.bin>

More information about the ag-tech mailing list