It does require a fixed source address. The box is also a router and firewall, so it has many IP addresses available to it.
On Wed, Dec 5, 2012 at 5:24 PM, William Herrin <b...@herrin.us> wrote: > On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews <ma...@isc.org> wrote: >> In message >> <CAP-guGW6oXo=UfTfg+SDiFjB4=qxpsho+yfk6vxnlkcc58p...@mail.gmail.com>, >> William Herrin writes: >>> The thing is, Linux doesn't behave quite that way. >>> >>> If you do an anonymous connect(), that is you socket() and then >>> connect() without a bind() in the middle, then the limit applies *per >>> destination IP:port pair*. So, you should be able to do 30,000 >>> connections to 192.168.1.1 port 80, another 30,000 connections to >>> 192.168.1.2 port 80, and so on. >> >> The socket api is missing a bind + connect call which restricts the >> source address when making the connect. This is needed when you >> are required to use a fixed source address. > > Hi Mark, > > There are ways around this problem in Linux. For example you can mark > a packet with iptables based on the uid of the process which created > it and then you can NAT the source address based on the mark. Little > messy but the tools are there. > > Anyway, Ray didn't indicate that he needed a fixed source address > other than the one the machine would ordinarily choose for itself. > > Regards, > Bill Herrin > > > -- > William D. Herrin ................ her...@dirtside.com b...@herrin.us > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> > Falls Church, VA 22042-3004 -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
