1

I have an interface with two IP's as shown below (necessary for some firewall traffic management). It seems that apps could bind to either (if they don't specify an IP) on start, possibly interfering with the purpose of my dual IP addresses. (RedHat docs suggest no longer creating a separate interface for each IP).

I don't want to have to launch every executable with a modified commandline, I'm hoping there a weight or other thing I can assign to each IP to ensure that apps will prefer one IP vs the other.

2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:b6:49:04 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 172.31.254.31/24 brd 172.31.254.255 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever
    inet 172.31.254.32/24 brd 172.31.254.255 scope global secondary noprefixroute ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb6:4904/64 scope link
       valid_lft forever preferred_lft forever
TSG
  • 1,698
  • I was working on an answer, but while looking for some references I found https://unix.stackexchange.com/questions/210982/bind-unix-program-to-specific-network-interface and https://superuser.com/questions/241178/how-to-use-different-network-interfaces-for-different-processes, among others. – larsks Aug 06 '23 at 01:26
  • The namespace approach requires forcing individual programs to specific namespaces. I'm hoping for something more like weights/priorities so I don't have to launch individual programs that way – TSG Aug 06 '23 at 01:37

1 Answers1

0

I'm hoping there a weight or other thing I can assign to each IP to ensure that apps will prefer one IP vs the other.

Set the RTA_PREFSRC attribute on your routes; this will act as a hint for the preferred source IP address when programs do not explicitly bind to one.

  • iproute2: 
    ip route add default via 172.31.254.1 src 172.31.254.31
  • systemd-networkd: 
    [Route]
    Gateway=172.31.254.1
    PreferredSource=172.31.254.31

Also try marking the address as "deprecated" by setting a zero "preferred lifetime"; this was originally an IPv6-specific attribute (and the trick has been extensively used on hosts that have multiple IPv6 addresses) but I think it has been made to work with IPv4 as well. (A deprecated address is still usable, but will never be chosen by default as long as any non-deprecated addresses are available.)

  • iproute2: 
    ip addr add 172.31.254.32/24 dev eth0 preferred_lft 0
  • systemd-networkd: 
    [Address]
    Address=172.31.254.32/24
    PreferredLifetime=0

RedHat docs suggest no longer creating a separate interface for each IP.

The separate eth0:0 interfaces are a relic from Linux 2.2.x era – in current kernels they no longer exist as such, but are merely emulated through the 'label' attribute on IP addresses. Only old tools such as ifconfig would "see" such interfaces, while everything else would still see just a single eth0 with two IP addresses on it.

u1686_grawity
  • 5,858