Re: [PATCHv8 1/2] Interface group: core and netlink part

[Laszlo Attila Toth <panther@balabit.hu>]

David Miller írta:
> From: Laszlo Attila Toth <panther@balabit.hu>
> Date: Thu,  6 Mar 2008 15:03:58 +0100
> 
>> Interface groups let handle different interfaces together.
>> Modified net device structure and netlink interface.
>>
>> Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
> 
> I can't say whether this makes sense without seeing how
> it will actually be used.

The userspace has two parts, one is in iproute2:

  ip link set dev eth0 group 4

  ip link show dev eth0
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
group 0x04 qlen 1000
     link/ether 00:0c:29:97:52:99 brd ff:ff:ff:ff:ff:ff

This is still nothing special.

Where can it be used? The netfilter part is an ifgroup match:

  ifgroup -A INPUT -m ifgroup --ifgroup-in 4/0xf ...
  ifgroup -A OUTPUT -m ifgroup --ifgroup-out 4/0xf ...

Also multiple devices can be grouped and handled with one rule. Although 
  the interfaces can be named as the user wants, it is not always enough 
(I mean for instance:  iptables ... -i ppp+ ...).


Consider the following example (a bit complex, I think): a VPN server 
has many clients but not all services and networks has to be accessible 
for each clients, also an ACL is needed (Or the same situation on a 
router with several interfaces) The ifgroup value has 32 bits also 32 
different rule can be set up. The only necessary thing for the 
corresponding "if-up" scripts to calculate the value corresponding to 
the acl list and set this as an ifgroup value for the device. Next in 
the netfilter rules  access to unneeded services can be rejected with a 
single rule:

   iptables -A PREROUTING -m ifgroup --ifgroup-in 0/0x4 ... -j REJECT ...

Also the ifgroup match helps iptables rules to be simplier. Whithout it 
a new chain is necessary and on every interface change a new rule has to 
be added/removed. If two iptables commands are running, AFAIK a 
concurrency problem can be occured because two iptables command 
downloads the ruleset, change it and uploaded. But only one of them is 
taken into account.


Another possible use case is - I have no patch yet:
currently the ip command can access information of exactly one device or 
all of them, but only a few of them cannot be used. With ifgroup this 
problem can be solved, also instead of:

  ip link show dev eth0

use

   ip link show group 3

and so on.


> If that's all it is, userland can record such mappings
> in the filesystem or elsewhere such that multiple
> applications can work with and maintain the relationships.
> There is zero reason to add this bloat to the kernel in
> such a case.

Yeah, without the netfilter rules this would be unnecessary in the 
kernel but it depends on it.

--
Attila