Bind outbound connection to address from configuration

[ybubnov]

For security reasons it would be great to support such feature as
binding outbound address, so nsqd could be firewalled on accepting
certain addresses, that reasonable in case when nsq-consumers or
producers are placed on machines with multiple interfaces.

[mreiferson]

I'm not necessarily opposed to this change but can't this be addressed outside of go-nsq by configuring routing tables?

[twmb]

This will try to bind all outgoing connections to the same address. Unless I'm mistaken, if you set LocalAddr, this will fail when you have more than one server you're trying to connect to, as this will try to open two connections with the same source addr.

[ybubnov]

mreiferson, imagine machine with two NICs, when you start nsq listener or consumer, ip address of which NIC they will use? The answer is unpredictable, probably, it's possible to solve issue with iptables and masquerading of all outgoing ip addresses, but it's tricky, isn't it?

twmb, if you look into consumer.go you will find out, that it uses map of connections, where key is address of nsq daemon, so you can easily connect to multiple servers. Either, if you will use LocalAddr with port equal to 0, like config.Set("local_addr", "127.0.0.1:0") os find a free one and bind your client to that address, so there is no problems with multiple connections (they all will use different endpoints).

[twmb]

Cool, I hadn't read that yet. This looks fine to me other than binded should be bound in error messages. I'd change ConnTimeout to DialTimeout as the timeout is only used in dialing.

[ybubnov]

Thanks, fixed.

[mreiferson]

mreiferson, imagine machine with two NICs, when you start nsq listener or consumer, ip address of which NIC they will use? The answer is unpredictable, probably, it's possible to solve issue with iptables and masquerading of all outgoing ip addresses, but it's tricky, isn't it?

Still feels wrong to me. I don't disagree that this patch addresses the issue, my concern is that this approach implies that all of the client libraries need a similar patch whereas, if you handled this at the networking layer, it would apply to anything connecting to nsqd.

Curious to hear @jehiah's thoughts...

[ybubnov]

If you leave LocalAddr parameter equals to nil clients would behave the same as before. It's an option, not a requirement.

http://golang.org/pkg/net/#Dialer

[jehiah]

certainly won't be needed in most cases but i'm fine exposing this. 👍

[mreiferson]

alright alright

[mreiferson]

let's not shadow v here (and all the other instances below)

[ybubnov]

it's golang idiom - reuse name of variables in a type switch statements
https://golang.org/doc/effective_go.html#type_switch

[mreiferson]

TIL - thanks!

[mreiferson]

@yashkin thanks, would you mind squashing down to one commit and we'll merge?