[rock-linux] Proposal for ROCKNET

ROCK Mailing List Archives

Attachments
Entire message
+ (text/plain)
Author: Clifford Wolf
Date:  
To: ROCK Linux Mailing List
Subject: [rock-linux] Proposal for ROCKNET

Proposal for ROCKNET - Clifford Wolf, 2003-09-30
==================================================


Abstract
--------

Thanks to SMP for bringing the topic up in the first place.

The following is my personal proposal for the next generation ROCK Linux
network configuration. It's a request for comments - so please send your
opinions and comments..

Nothing of the following is implemented yet. So we are very open for any
kind of discussion.

The idea of ROCKNET is to make the network configuration more flexible and
allow integration of simple firewalling rules, multiple interfaces, multiple
IPs per interface and multiple profiles. It should be easy to setup very
complex and very simple setups, should "feel good" when working directly
with an ASCII editor on the config files and should be easy to integrate in
a more or less colored configuration GUI (such as stone).


Configuration File
------------------

The network configuration is stored in /etc/network/config. All filenames
in this file are relative to /etc/network/ if they don't begin with a slash.

An example /etc/network/config follows:

        auto eth0 eth1
        forward

        interface eth0
                ip 192.168.1.1/24
                ip 192.168.2.1/24

        interface eth1
                ip 192.168.100.99/24
                gw 192.168.100.1

Or another /etc/network/config:

        auto eth0

        interface eth0
                dhcp
                script dyndns.sh                # update dyndns
                allow ip 10.10.0.0/24                # office
                allow ip 192.168.0.0/24                # home
                allow tcp 80                        # webserver is open
                deny all

Or one using profiles:

        auto eth0 eth1(office)

        interface eth0(home)
                ip 192.168.69.15/24

        interface eth0(office)
                allow ip 10.10.0.0/16 tcp ssh
                deny all
                dhcp

        interface eth0
                deny all
                dhcp

        interface eth1
                deny all
                dhcp

So there are commands with optional parameter lists. The following commands
are allowed in the config file:

auto
        Lists those interfaces which should be set up automatically at
        boot up (list evaluated from left to right) and shut down on system
        shutdown (from right to left). All interfaces not listed here must
        be set up or shut down manually using 'ifup' and 'ifdown'.
        Must be used before the first 'interface' directive.

forward
        If used, forwarding between interfaces will be activated at boot up
        and the host may be used as gateway between two networks.
        Must be used before the first 'interface' directive.

interface
        Everything after that statement and before the next interface statement
        is the configuration for that specific interface. All directives within
        an interface section are executed from the first to the last when
        setting up the interface and the reversed order when shutting it down.

dhcp
        Configure the interface using the DHCP protocol.

script
        Execute the specified script with the given parameters. The parameter
        "up" is inserted as first parameter when the interface is set up and
        the parameter "down" is inserted when the interface is shut down.

ip, gw
        Set the given ip(s) and gateway when the interface is set up, remove
        all IPs from the interface when the interface is shut down.

allow, deny
        Add the given simple firewalling rules. Those statements are executed
        before the other statements in the interface section when setting up
        the interface and are executed after the other statements when
        shutting down the interface. See section "Simple Firewall" below for
        details.


Profiles
--------

Interface names in the 'auto' and the 'interface' statement can be followed
by a coma-separated list of profile names in parentheses.

In case of the 'auto' statement, only those interfaces are used which do
have the current profile specified or no profile at all.

In case of the 'interface' statement, an interface section which explicitly
refers to the current profile is used in favor of an interface section with
no profiles specified.

An non-existing interface section will be handled as it would be an empty
interface section. Empty interface sections are silently ignored by "ifup"
and "ifdown".

The current profile is stored in /etc/network/profile.


Command-line Tools
------------------

There are two simple command line tools for working with ROCKNET: "ifup"
and "ifdown". The first parameter is the name of the interface which should
be set up, the second parameter (which is optional) is the profile name to be
used while reading the configuration. If the 2nd parameter is missing, the
content of /etc/network/profile is used.


Simple Firewall
---------------

When there are any 'allow' or 'deny' statements in an interface section, the
ifup script automatically adds a chain named 'simple-firewall-<ifname>' to
the iptables 'filter' table and links that chain into the INPUT chain using
the incoming interface as condition.

All 'allow' and 'deny' statements add rules to that chain. 'Allow' links
to the netfilter 'ACCEPT' target and 'deny' to the netfilter 'REJECT' (and
not 'DROP') target.

When shutting down the interface, the chain 'simple-firewall-<ifname>' is
simply flushed and removed from the iptables configuration.


Tricking with pseudo-interfaces
-------------------------------

It's possible to define non-existing interfaces such as 'iptables' in the
configuration file. It would result to errors if e.g. the 'ip' statement
would be used in those interface sections - but it is possible to use the
'script' statement in those pseudo-interfaces and so e.g. link a complex
firewall setup into the ROCKNET framework.


Compatibility
-------------

The program names "ifup" and "ifdown" are used on many distributions for small
helpers to set up or shut down interfaces.

The file /etc/network/config has a very similar "feeling" as debians
/etc/network/interfaces and so it should be pretty easy especially for debian
users to get used to ROCK Linux based distributions network configuration.

The whole thing is very different from RedHats /etc/sysconfig/network/ and is
likely to also be different from whatever SuSE is using for the same purpose.


-- 
| Clifford Wolf /-----=[ www.clifford.at ]==[ Tel: +43-699-10063494 ]=-\
|--------------/ diestartseite.at vocat.cc =[ Fax: +43-2235-42788-4 ]=-|
|-=[ EDEN Creations -- www.edenevents.at ]==[ IRC: www.freenode.net ]=-|
\==[ www.rocklinux.org ]===[ www.rocklinux.net ]===[ www.linbit.com ]==/

2B OR (NOT 2B) That is the question. The answer is FF.

-- 
To unsubscribe from this list: send a mail with the subject "unsubscribe
rock-linux" to <>. For more information about ROCK
Linux have a look at <http://www.rocklinux.org/>.