© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Hi Jeff.
Thanks for your comments. If you don't mind, let's discuss the details
further:
Regarding your first bullet:
I don't think that having 'application-
After all, proxified connections exist at the TCP/transport level and the
application should be entirely agnostic.
I believe what you mean is that we should have *destination*
proxies (which is what almost all other software dealing with SOCKS
and multiple proxies does: proxifiers like tsocks, dante, the eclipse
proxy selector etc. do it that way).
After all: if ASYN and CA happen to want to connect to the same subnet
then they can use the same proxy. If ASYN talks to a different subnet
then it should use a different proxy.
That is what the proxy selector is for. It should select a proxy for
the presented destination based on a set of rules.
E.g., you could have rules
asyn-subnet/
ca-subnet/22 -> proxy2
and any connection to 'asyn-subnet' with netmask 255.255.255.0 and within
port range 1000-9999 would go through 'proxy1'
any connection to 'ca-subnet' with netmask 255.255.252.0 (any port)
would go via 'proxy2'.
In practice, the 'proxies' are probably always SSH ports on 'localhost'
e.g.,
ssh -D1080 proxy1
ssh -D1081 proxy2
with the 'proxy1' and 'proxy2' settings in the 'rules' of the above
example then being 'localhost:1080' and 'localhost:1081', respectively.
The current 'default' proxy selector doesn't allow you to do that.
It just lets you define a single proxy which is used for all connections
or none at all.
However, it would not be not very hard to improve the default selector
(and already possible with the current patch for you to provide your
own selector).
This brings us to the second bullet:
The pointers returned by the proxy selector really point to static
objects which are created when the proxy selector parses it's rules
(the current default selector is initialized once and creates a
struct sockaddr using the info from EPICS_SOCKS_PROXY).
Therefore, I do not see any concurrency problems and thus
no need for locking or copying values. The objects referenced
by the pointer returned by the proxy selector are strictly
read-only and guaranteed to never change.
Finally - while I see that you can get away with a single
call to 'connect()' you still need a test (which then would be
a little bit more complicated) because you need to
skip the SOCKS negotiation if you have a direct connection.
Regarding the use of osiSockAddr - it would of course be
the first choice to use by the proxy selector but it would
require an OSI version of 'connect'. Since 'epicsConnectVi
should be a 'plug-in' replacement for 'connect' the type of
object chosen is 'struct sockaddr'.
Summarizing, I still believe that the current API makes sense
(it is also not really my invention but as I said: several packages
implementing SOCKS use a similar approach) but I can see
that a more powerful (default) proxy selector could be desirable
(but I IMHO the current implementation is still much better
than nothing).
What would you think about an implementation which
would understand
EPICS_SOCKS_PROXY = rules
rules: rule [ ',' rules ]
rule: [ dest '>' ] proxy /* a rule w/o dest is a wildcard to *any* dest */
proxy: [ dns-or-ip ] ':' [ port ] /* dns-or-ip defaults to 'localhost' */
| dns-or-ip /* 'port' defaults to '1080' */
dest: dns-or-ip [ '/' mask ] [ ':' range ] /* mask defaults to '32' */
range: port [ '-' port ]
This still allows a very simple configuration where you just have
a single proxy:
EPICS_SOCKS_
or even
EPICS_SOCKS_PROXY=:
The example above could be configured e.g.,
EPICS_SOCKS_
RFC
Thanks again
- Till