Re: [patch] RFC: matching interface groups

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Hemminger <shemminger@osdl.org>
To: Balazs Scheidler <bazsi@balabit.hu>
Cc: netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org
Subject: Re: [patch] RFC: matching interface groups
Date: Tue, 1 Aug 2006 11:29:19 -0700	[thread overview]
Message-ID: <20060801112919.765eb831@localhost.localdomain> (raw)
In-Reply-To: <1154452209.6395.77.camel@bzorp.balabit>

On Tue, 01 Aug 2006 19:10:09 +0200
Balazs Scheidler <bazsi@balabit.hu> wrote:

> Hi,
> 
> I would like to easily match a set of dynamically created interfaces
> from my packet filter rules. The attached patch forms the basis of my
> implementation and I would like to know whether something like this is
> mergeable to mainline.
> 
> The use-case is as follows:
> 
> * I have two different subsystems creating interfaces dynamically (for
> example pptpd and serial pppd lines, each creating dynamic pppX
> interfaces),
> * I would like to assign a different set of iptables rules for these
> clients,
> * I would like to react to a new interface being added to a specific set
> in a userspace application,
> 
> The reasons I see this needs new kernel functionality:
> 
> * iptables supports wildcard interface matching (for example "iptables
> -i ppp+"), but as the names of the interfaces used by PPTPD and PPPD
> cannot be distinguished this way, this is not enough,
> * Reloading the iptables ruleset everytime a new interface comes up is
> not really feasible, as it abrupts packet processing, and validating the
> ruleset in the kernel can take significant amount of time,
> * the kernel change is very simple, adapting userspace to this change is
> also very simple, and in userspace various software packages can easily
> interoperate with each-other once this is merged.
> 
> The implementation:
> 
> Each interface can belong to a single "group" at a time, an interface
> comes up without being a member in any of the groups.
> 
> Userspace can assign interfaces to groups after being created, this
> would typically be performed in /etc/ppp/ip-up.d (and similar) scripts.
> 
> In spirit "interface group" is somewhat similar to the "routing
> protocol" field for routing entries, which contains information on which
> routing daemon was responsible for adding the given route entry.
> 
> Things to be done if you like this approach:
> 
> * interface group match in iptables,
> * support for naming interface groups in userspace, a'la routing
> protocols,
> * emitting a netlink notification when the group of an interface
> changes,
> * possibly converting the "ip link" command to use NETLINK messages,
> instead of using ioctl()
> 
> What do you think?

I like the concept, but it probably needs more review.

There is a bigger issue, which is how should the network device namespace
exist? There are virtualization efforts, that want to virtualize it,
and network device names have always lived in a parallel universe.
I don't expect your patch to solve this...

next prev parent reply	other threads:[~2006-08-01 18:29 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-01 17:10 [patch] RFC: matching interface groups Balazs Scheidler
2006-08-01 18:29 ` Stephen Hemminger [this message]
2006-08-02  7:18   ` Balazs Scheidler
2006-08-01 18:46 ` Phil Oester
2006-08-01 19:18   ` Sven Schuster
2006-08-02  7:04     ` Balazs Scheidler
2006-08-02  9:01       ` Amin Azez
2006-08-03 12:57       ` Gerd v. Egidy
2006-08-03  4:08 ` Stephen J. Bevan
2006-08-03 19:08   ` Balazs Scheidler
2006-08-04 10:06 ` Patrick McHardy
2006-08-07 11:44   ` Balazs Scheidler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060801112919.765eb831@localhost.localdomain \
    --to=shemminger@osdl.org \
    --cc=bazsi@balabit.hu \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.