[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] NETWORK_INTERFACE - IP address subnet notation not working



Hi everyone

Is someone able to confirm that an IP address of the form:

128.104.0.0/16

does NOT work for:

NETWORK_INTERFACE = 128.104.0.0/16

It does work for the allow/deny statements though:

ALLOW_READ = 128.104.0.0/16

or am I doing something wrong? Thanks.

Cheers

Greg

$CondorVersion: 8.8.12 Nov 24 2020 BuildID: 524104 $
$CondorPlatform: x86_64_Windows10 $


-----Original Message-----
From: Tim Theisen <tim@xxxxxxxxxxx> 
Sent: Monday, 16 November 2020 9:48 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Hitchen, Greg (IM&T, Kensington WA) <Greg.Hitchen@xxxxxxxx>
Subject: Re: [HTCondor-users] IP address subnet notation

Hello Greg,

I can confirm that your usage is correct to specify an IPv4 network.

I also found this excellent comment in the source code:

 // An IP literal may be an IPv4 literal or an IPv6 literal. An IPv4
network
ÂÂÂ // may be specified as an incomplete dotted quad with a single asterisk
ÂÂÂ // (*) in place of a the rightmost quad; as a dotted quad followed by a
ÂÂÂ // slash followed by the dotted quad of the netmask; or as a dotted quad
ÂÂÂ // followed by a slash followed by an integer specifying the number of
 // mask bits. An IPv6 network may be specified as an IPv6 literal
ÂÂÂ // followed by a slash followed by an integer specifying the number of
ÂÂÂ // mask bits; or as an IPv6 literal with the second of its trailing
ÂÂÂ // colons replaced by a star. When a full IPv6 literal is used (with
ÂÂÂ // or without a slash and mask bits), the use of square brackets is
ÂÂÂ // allowed but optional. Examples:
ÂÂÂ //
ÂÂÂ // 128.104.100.22
ÂÂÂ //
ÂÂÂ // 128.104.*
ÂÂÂ // 128.104.0.0/255.255.0.0
ÂÂÂ // 128.104.0.0/16
ÂÂÂ //
ÂÂÂ // 2607:f388:107c:501:1b:21ff:feca:51f0
ÂÂÂ // [2607:f388:107c:501:1b:21ff:feca:51f0]
ÂÂÂ // 2607:f388:107c:501::/60
ÂÂÂ // [2607:f388:107c:501::]/60
ÂÂÂ // 2607:f388:107c:501:*

I will make to a ticket to get this information into the manual.

...Tim

On 11/16/20 12:51 AM, Hitchen, Greg (IM&T, Kensington WA) wrote:
> OK, answering my own question.
>
> It appears you can use the format xxx.yyy.176.0/20
>
> I couldn't find anything in the manual/documentation but did find (via google) a presentation that had examples:
>
> ALLOW_WRITE = *
> ALLOW_WRITE = goose.cs.wisc.edu
> ALLOW_WRITE = *.cs.wisc.edu
> ALLOW_WRITE = 128.105.*
> ALLOW_WRITE = 128.105.0.0/16
>
> So it seems to work OK using that last format from some limited testing I did.
> It would be helpful though if someone could just confirm this.
>
> Thanks
>
> Cheers
>
> Greg
>
> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Hitchen, Greg (IM&T, Kensington WA)
> Sent: Monday, 16 November 2020 12:02 PM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [ExternalEmail] [HTCondor-users] IP address subnet notation
>
> Hi All
>
> I would like to add some subnets to DENY_READ and DENY_WRITE
>
> Not so bad if you just want to block something like 174.23.57.*
>
> However I have a list of subnets like xxx.yyy.176.0/20 which equates to xxx.yyy.(176-191).*, i.e.
>
> xxx.yyy.176.*, xxx.yyy.177.*, xxx.yyy.178.*, ......, etc. up to xxx.yyy.191.*
>
> i.e. 16 subnets, and I have multiple of these, although not all /20. Some are /21 (8 subnets) and some /22 (4 subnets)
>
> I think I know the answer, but I'm hoping there might be a shorthand way rather than having to list every single subnet,
> otherwise there will be 58 single subnets to list. â
>
> Thanks
>
> Cheers
>
> Greg
>
> P.S. The subnets in question are ranges within our internal network, BUT specifically allocated to our VPN services.
> We do not want machines (laptops) as part of the pool when VPN'ed in.
> Note that this is a "just in case strategy" as the NETWORK_INTERFACE settings will only allow IPs within our internal
> network to start up HTCondor anyway, which will be the case for machines at home as they will have an IP of their home
> network when booted up and HTCondor tries to start. We want the DENY statements in case HTCondor gets restarted
> AFTER a machine has VPN'ed in.
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

-- 
Tim Theisen
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736