NETWORK_INTERFACE is supposed to be a single IP number not a range.
Steve Timm
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Hitchen, Greg (IM&T, Kensington WA) <Greg.Hitchen@xxxxxxxx>
Sent: Thursday, November 11, 2021 6:48 PM To: Timothy Theisen <tim@xxxxxxxxxxx>; HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx> Subject: [HTCondor-users] NETWORK_INTERFACE - IP address subnet notation not working Hi everyone
Is someone able to confirm that an IP address of the form: 128.104.0.0/16 does NOT work for: NETWORK_INTERFACE = 128.104.0.0/16 It does work for the allow/deny statements though: ALLOW_READ = 128.104.0.0/16 or am I doing something wrong? Thanks. Cheers Greg $CondorVersion: 8.8.12 Nov 24 2020 BuildID: 524104 $ $CondorPlatform: x86_64_Windows10 $ -----Original Message----- From: Tim Theisen <tim@xxxxxxxxxxx> Sent: Monday, 16 November 2020 9:48 PM To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Hitchen, Greg (IM&T, Kensington WA) <Greg.Hitchen@xxxxxxxx> Subject: Re: [HTCondor-users] IP address subnet notation Hello Greg, I can confirm that your usage is correct to specify an IPv4 network. I also found this excellent comment in the source code: // An IP literal may be an IPv4 literal or an IPv6 literal. An IPv4 network // may be specified as an incomplete dotted quad with a single asterisk // (*) in place of a the rightmost quad; as a dotted quad followed by a // slash followed by the dotted quad of the netmask; or as a dotted quad // followed by a slash followed by an integer specifying the number of // mask bits. An IPv6 network may be specified as an IPv6 literal // followed by a slash followed by an integer specifying the number of // mask bits; or as an IPv6 literal with the second of its trailing // colons replaced by a star. When a full IPv6 literal is used (with // or without a slash and mask bits), the use of square brackets is // allowed but optional. Examples: // // 128.104.100.22 // // 128.104.* // 128.104.0.0/255.255.0.0 // 128.104.0.0/16 // // 2607:f388:107c:501:1b:21ff:feca:51f0 // [2607:f388:107c:501:1b:21ff:feca:51f0] // 2607:f388:107c:501::/60 // [2607:f388:107c:501::]/60 // 2607:f388:107c:501:* I will make to a ticket to get this information into the manual. ...Tim On 11/16/20 12:51 AM, Hitchen, Greg (IM&T, Kensington WA) wrote: > OK, answering my own question. > > It appears you can use the format xxx.yyy.176.0/20 > > I couldn't find anything in the manual/documentation but did find (via google) a presentation that had examples: > > ALLOW_WRITE = * > ALLOW_WRITE = goose.cs.wisc.edu > ALLOW_WRITE = *.cs.wisc.edu > ALLOW_WRITE = 128.105.* > ALLOW_WRITE = 128.105.0.0/16 > > So it seems to work OK using that last format from some limited testing I did. > It would be helpful though if someone could just confirm this. > > Thanks > > Cheers > > Greg > > -----Original Message----- > From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Hitchen, Greg (IM&T, Kensington WA) > Sent: Monday, 16 November 2020 12:02 PM > To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx> > Subject: [ExternalEmail] [HTCondor-users] IP address subnet notation > > Hi All > > I would like to add some subnets to DENY_READ and DENY_WRITE > > Not so bad if you just want to block something like 174.23.57.* > > However I have a list of subnets like xxx.yyy.176.0/20 which equates to xxx.yyy.(176-191).*, i.e. > > xxx.yyy.176.*, xxx.yyy.177.*, xxx.yyy.178.*, ......, etc. up to xxx.yyy.191.* > > i.e. 16 subnets, and I have multiple of these, although not all /20. Some are /21 (8 subnets) and some /22 (4 subnets) > > I think I know the answer, but I'm hoping there might be a shorthand way rather than having to list every single subnet, > otherwise there will be 58 single subnets to list. â > > Thanks > > Cheers > > Greg > > P.S. The subnets in question are ranges within our internal network, BUT specifically allocated to our VPN services. > We do not want machines (laptops) as part of the pool when VPN'ed in. > Note that this is a "just in case strategy" as the NETWORK_INTERFACE settings will only allow IPs within our internal > network to start up HTCondor anyway, which will be the case for machines at home as they will have an IP of their home > network when booted up and HTCondor tries to start. We want the DENY statements in case HTCondor gets restarted > AFTER a machine has VPN'ed in. > > _______________________________________________ > HTCondor-users mailing list > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a > subject: Unsubscribe > You can also unsubscribe by visiting > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=naydyvAWXfbzHn-6TBrrLOuOmyWW8NysSkofzJ75YDJPCy_DoedIrH42UmMFZdI_&s=u00OCWZR4HUPuv0hAdpvYyQ2dIjtOrsJvER0WdsLUvU&e= > > The archives can be found at: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=naydyvAWXfbzHn-6TBrrLOuOmyWW8NysSkofzJ75YDJPCy_DoedIrH42UmMFZdI_&s=0O_vbKmNhN3XMPUJruT1Zcmo-un4y-9axqWGckQltYc&e= > > _______________________________________________ > HTCondor-users mailing list > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a > subject: Unsubscribe > You can also unsubscribe by visiting > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=naydyvAWXfbzHn-6TBrrLOuOmyWW8NysSkofzJ75YDJPCy_DoedIrH42UmMFZdI_&s=u00OCWZR4HUPuv0hAdpvYyQ2dIjtOrsJvER0WdsLUvU&e= > > The archives can be found at: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=naydyvAWXfbzHn-6TBrrLOuOmyWW8NysSkofzJ75YDJPCy_DoedIrH42UmMFZdI_&s=0O_vbKmNhN3XMPUJruT1Zcmo-un4y-9axqWGckQltYc&e= -- Tim Theisen Release Manager HTCondor & Open Science Grid Center for High Throughput Computing Department of Computer Sciences University of Wisconsin - Madison 4261 Computer Sciences and Statistics 1210 W Dayton St Madison, WI 53706-1685 +1 608 265 5736 _______________________________________________ HTCondor-users mailing list To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a subject: Unsubscribe You can also unsubscribe by visiting https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_mailman_listinfo_htcondor-2Dusers&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=naydyvAWXfbzHn-6TBrrLOuOmyWW8NysSkofzJ75YDJPCy_DoedIrH42UmMFZdI_&s=u00OCWZR4HUPuv0hAdpvYyQ2dIjtOrsJvER0WdsLUvU&e= The archives can be found at: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cs.wisc.edu_archive_htcondor-2Dusers_&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=10BCTK25QMgkMYibLRbpYg&m=naydyvAWXfbzHn-6TBrrLOuOmyWW8NysSkofzJ75YDJPCy_DoedIrH42UmMFZdI_&s=0O_vbKmNhN3XMPUJruT1Zcmo-un4y-9axqWGckQltYc&e= |