[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] NETWORK_INTERFACE - IP address subnet notation not working

Thanks Todd.


Yes we are currently using wildcards already. Our organisation spans the country (Australia) and

consists of 7 different subnet. So at the moment it is something like:


NETWORK_INTERFACE = aaa.bbb.*, xxx.yyy.*, ddd.eee.*, etc.


The issue we have is that we want to exclude VPN connections. The address ranges for these are

within a specific range of the same subnets, something like:


aaa.bbb.192.1 â aaa.bbb.192.254


which corresponds to aaa.bbb.192.0/19


We currently use DENY_READ and DENY_WRITE on the Central Managers to achieve this, so that

VPN machines are never part of the pool of resources.


DENY_READ = aaa.bbb.192.0/19

DENY_WRITE = aaa.bbb.192.0/19


This works OK, but logs tons of PERMISSION DENIED messages. No biggie, but we would rather

it happen at the NETWORK_INTERFACE level, as this means that the HTCondor service would not

even start.


This has become an issue for one particular research group that work onboard the ship RV Investigator

which is part of the MNF - Marine National Facility. They have limited network bandwidth via satellite

(which connects into our network via VPN) and claim that scientists laptops with HTCondor installed

are chewing into that bandwidth as the HTCondor service keeps trying to contact the Central Managers,

which then deny access.


Without the use of subnet notation, this makes it really kludgy to try and implement this via NETWORK_INTERFACE,



aaa.bbb.0.* /

aaa.bbb.1.* /

aaa.bbb.2.* /


aaa.bbb.191.* /

#(exclude aaa.bbb.192.*)

aaa.bbb.193.* /

aaa.bbb.194.* /




So a total of 250+ entries for this one subnet. And we have 3 different VPN subnets in total. Not even sure

if HTCondor will handle a list this long anyway?


Is there any clever way to kludge this somehow?


It would have also been easy if there was an ALLOW/DENY for NETWORK_INTERFACE, similar to READ/WRITE.


Thanks for any help/info/advice/comments anyone can provide.








From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
Sent: Saturday, 13 November 2021 6:38 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Hitchen, Greg (IM&T, Kensington WA) <Greg.Hitchen@xxxxxxxx>; Tim Theisen <tim@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] NETWORK_INTERFACE - IP address subnet notation not working


On 11/11/2021 6:48 PM, Hitchen, Greg (IM&T, Kensington WA) wrote:

Hi everyone
Is someone able to confirm that an IP address of the form:
does NOT work for:

Hi Greg,

The documentation for NETWORK_INTERFACE is here:


Looks like using subnet notation is not allowed, butusing a wildcard is, so maybe you could achieve what you want via: