Allow the server to listen on multiple TCP sockets [CORE5219] #5499
Comments
Modified by: @mkubecekassignee: Michal Kubeček [ mkubecek ] |
|
Commented by: Sean Leyne (seanleyne) Michal, The server OS firewall features already support restricting external connections why is it required for this issue to be also addressed by the engine? |
|
Commented by: @mkubecek Personally, I have never thought much about binding a socket to an address as a security feature (in particular on Linux with its weak host model). I rather see this as a feature in the "virtual server" direction, helping to handle multiple Firebird instances on one system better. One possible follow-up feature (if there is interest) would be per socket DatabaseAccess (ExternalFileAccess, UdfAccess) and databases.conf, i.e. each combination of address and port potentially providing a different set of databases. Also, there is still the issue that old Windows versions (like XP) need two sockets to accept both IPv4 and IPv6 connections - but that is getting less and less important, of course. |
|
Commented by: Sean Leyne (seanleyne) Michael, As far as "virtual server" goes, there are plenty of now established available and new solutions being offered, which do not require the IP/port changes you describe -- see Docker, LXC and Windows 10/2016 containers. As far as support for legacy Windows (or even Linux systems), I believe that we cannot continue to support ancient systems. If devs want to use new features/FB versions, they need to be prepared to migrate OS versions or live without. |
|
Commented by: @mkubecek Sure, it can be worked around (to some extent) but if that was a blocker for features, why does Firebird provide wire encryption, wire compression or database encryption? All of these can be implemented using external tools, often even ones provided as a part of contemporary operating systems. |
Submitted by: @mkubecek
Assigned to: @mkubecek
Currently, Firebird server can use only one listening TCP socket which can listen either on zero address (and accept connections to any of host's addresses) or on address specified by RemoteBindAddress directive. It cannot listen on a subset of addresses which becomes restricting with IPv6 support as we cannot let the server listen on e.g. :: and 127.0.0.1 without letting it accept connections to any address. I played with it a bit while working on IPv6 support and I came with two approaches:
1. Create a separate thread for each listening socket. The advantage is that it doesn't require many changes to the code; I had better overall feeling about the diff. However, I wasn't able to make it work; there were some conflicts which I didn't have time to fully debug at the time, I suspect the AsyncPacket handling but there might be more.
2. Put multiple sockets (or socket chains) into the same poll()/select() in one thread. I was able to work this one out to a patch that passed my tests but the code is a bit ugly and I'm not quite sure about its efficiency.
The text was updated successfully, but these errors were encountered: