search

dCache / dcache

dCache - a system for storing and retrieving huge amounts of data, distributed among a large number of heterogenous server nodes, under a single virtual filesystem tree with a variety of standard access methods
https://dcache.org
289 stars 136 forks source link

dcache.net.allowed-subnets #3734

Open calestyo opened 6 years ago

calestyo commented 6 years ago

Hi.

The docs for dcache.net.allowed-subnet don't tell what this does when left empty?! I blindly assume it allows everything... but the text would rather imply it forbids everything:

Clients connecting from IP addresses outside these subnets are rejected.

I.e. if left empty, there is no subnet specified, so all are outside of them.

Cheers, Chris.

calestyo commented 6 years ago

Oh and one more:

Setting this property restricts unencrypted cell communication originating from satellite domains within the allowed subnets.

I'm not a native English speaker, but that doesn't seem fully clear. i.e. the "restricts... from... within". My guess is that plain cell messagin (i.e. non-TLS) is only allowed from IPs within the subnets of the property, while TLS cell messaging is allowed from all. But then it should rather read like: only allows unencrypted cell communication originating from satellite domains within/from the allowed subnets.

The current text with the "restricts" seem to semantically mean the opposite... i.e. restricting (not allowing) plain cell messages from domains within the subnet.

paulmillar commented 6 years ago

Hi Chris,

Thanks for reporting this. We'll fix it as soon as possible.

Cheers,

Paul.

calestyo commented 6 years ago

I can make a PR, if that helps you.. and if (as I assumed) the empty value means all nets allowed.

paulmillar commented 6 years ago

Correct: an empty subnet is treated as a special case, allowing any clients to connect.