Re: Common place to keep subnet address/size information?

To: Petter Reinholdtsen <pere@hungry.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Common place to keep subnet address/size information?
From: Pierre Habouzit <madcoder@debian.org>
Date: Fri, 27 Apr 2007 12:36:21 +0200
Message-id: <[🔎] 20070427103621.GA27645@.madism.org>
Mail-followup-to: Petter Reinholdtsen <pere@hungry.com>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 2flbqha1atw.fsf@saruman.uio.no>
References: <[🔎] 2flbqha1atw.fsf@saruman.uio.no>

On Fri, Apr 27, 2007 at 10:27:23AM +0200, Petter Reinholdtsen wrote:
> 
> In Debian Edu, we provide a out of the box pre-configured network
> solution for schools.  We hard code the IP subnet used, to be able to
> configure all the services we want to have working out of the box.  We
> want to avoid hard coding the IP addresses and IP subnet, but found no
> other way to get it working.  This email document an idea on how to
> avoid this hard coding.
> 
> At the moment, very few services need subnet information.  It is
> squid, sysklogd, cfengine (cfservd), dhcpd and bind.  The first three
> need to have a subnet access limit, and we currently hardcode it to
> 10.0.2.0/255.255.254.0 or 10.0.2.0/23, depending on the supported
> notation.  It would be better if we could use a symbolic name, and
> store the subnet IP address in a common location, thus making it
> easier to change the IP subnet used.
> 
> One obvious solution would be to use /etc/networks, and rewrite squid,
> sysklogd and cfservd to use information in this file.  The problem is
> only that getnetent() and friends only support the classic A, B and C
> subnets, aka /8, /16 and /24.  Would it be possible to extend
> /etc/networks to support any subnet size?  I guess the easiest way to
> do this would be to extend the 'number' part of the file to support
> the slash notation.  It should be backwards compatible, as the
> original POSIX notation only allow digits and dots in this field.
> 
> Is this a good idea?  How would glibc have to change to handle this?

  It's not doable, because the POSIX getnetent answers in a struct
getent that cannot store the netmask, a simple getnetent(3) has the
answer. And that's the reason why it can only store A/B/C class
networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0
is assumed to be a wildcard, hence a network group.

  So well, you can try to fight against POSIX, some tried, we don't have
any news from them since :)

> Are there any other options available for us to avoid hard coding IP
> subnet information in the squid, sysklogd and cfservd configuration
> files?

  Well, don't all those daemons use /etc/hosts.{allow,deny} ?

  I know it's not *exactly* what you wanted, but afaict hosts.* are way
more flexible. Iptables could also help to achieve similar purposes in a
more generic way.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgpyKE8QCfnx3.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Common place to keep subnet address/size information?
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Common place to keep subnet address/size information?
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Bits from the DPL
Next by Date: Re: Common place to keep subnet address/size information?
Previous by thread: Common place to keep subnet address/size information?
Next by thread: Re: Common place to keep subnet address/size information?
Index(es):
- Date
- Thread