Request for comment: a new software to manage linux networking features
Dear Debian developers,
My team have been developing a software for my company since 2004, now I
have plan to release it to the public, hopefully in an open source
license if the management board doesn't object. So I need the peer
reviews from the community of the quality of the software, if it's good
enough for the community, I'll convince the company to release it, if
the quality is not so good, it won't worth the effort to do necessary
works to publish it, so I'll just keep it for private use.
To be short, I consider my software "an evolution of ifupdown", so the
main part is called "netupdown", the purpose of this software is to use
on corporate internet gateway, the main features of the software:
* The configuration file is in XML so netupdown can handle sophisticated
configuration. Editing the XML the configuration by hand or by software
will be easy and comfortable.
<?xml version="1.0" encoding="utf-8"?>
<config version="1.0" logLevel="debug">
...
</config>
* The configuration syntax is unified and consistent, for example, I
need a VPN tunnel to run on a pppoe connection, the computer has more
than one ppp interfaces. You know, ppp numbers are automatically
allocated so it's quite troublesome, netupdown can solve this problem
because interfaces are mentioned by a fixed name, netupdown will
translate it into a name that the kernel can understand when necessary.
When the pppoe interface is down, the openvpn process is killed, when
the pppoe interface is up again, netupdown will generate the new openvpn
option file based on a template, and bind the local ip address to the ip
address of pppoe.
In this case, the configuration is as easy as:
<interface name="fpt1" type="ppp">
<ppp type="pppoe" options="" depend_on="tap1" username="***"
password="***"/>
<network id="11" name="FPT1" auto="1"/>
</interface>
<interface name="tap7" auto="0" type="ethernet" sub_type="openvpn">
<openvpn remote="210.245.87.151" rport="19817" comp="comp-lzo"
depend_on="FPT1"/>
<network id="7" name="TAP" auto="1" config="dhcp"/>
</interface>
* netupdown has a strong dependency system, much like Debian's, when the
system is operating, an internet connection stops working, all the
virtual interfaces depends on it is killed if there is no alternative,
and interfaces depends on the ones got killed is killed as well. When
the internet connection comes up again, netupdown will rebuilt the
configuration file and start the virtual interface again.
* netupdown is created to serve all the need of Linux networking. In one
file, people configure not just ordinary ethernet interfaces but also
VLAN, VPN, ppp, bridges, bonding interfaces, static routes, multipath
routes, firewall, traffic shaping ...
This example show how to bridge tap11 with eth0, so we have two
interfaces (br0 and tap1) connected to the broadcast domain of eth0,
instead of just one (eth0), in my network, this technique is quite useful:
<interface name="br0" auto="1" type="ethernet" sub_type="bridge">
<depend_on name="eth0" value="1"/>
<depend_on name="tap11" value="1"/>
<network id="3" name="DHCP" auto="0" config="dhcp"/>
</interface>
<interface name="eth0" auto="1" type="ethernet">
</interface>
<interface name="tap1" auto="1" type="ethernet" sub_type="openvpn"
hw_addr="xx:xx:xx:xx:xx:xx">
<openvpn remote="127.0.0.1" rport="19821" lport="19811"/>
</interface>
<interface name="tap11" auto="1" type="ethernet" sub_type="openvpn">
<openvpn remote="127.0.0.1" rport="19811" lport="19821"/>
</interface>
* netupdown is made for computer with multiple connections to the
internet (for example, two DSLs to two different ISPs). Actually, the
most notable case is that it serve networking on an enterprise internet
gateway with 10 DSLs and 1 fiber connection, and the bit rate is excelent.
This rule make a simple multipath routing on two interfaces, the
internal mechanism of netupdown also do job of iptables connmark rules
and iproute2 policy routing to make multipath routing works correctly.
<mroute id="60" name="default">
<group>
<nexthop route="FPT1" weight="2"/>
<nexthop route="DHCP" weight="1"/>
</group>
</mroute>
* netupdown pairs with routeskeeper, a daemon using Perl POE
non-blocking IO framework to check the availability of connections, each
route can has multiple tests (using ping and TCP connect to remote
host), when a defined percentage of tests fail, the daemon bring down
the route so new connections don't go to the black hole, but going to
still funtional connections. This feature keep the user happy because
the downtime is minimal.
This sample configuration define a set of 3 tests, used for all internet
connections of the computer, the number of tests can be many, lower the
false negative. We can also define the interval of each test, and many
parameters, but I don't mention them all in here.
<route name="*">
<test name="PING-google" type="connect" location="gg.gg.gg.gg"/>
<test name="CONNECT-yahoo" type="connect" location="yy.yy.yy.yy:80"/>
<test name="CONNECT-kernel" type="connect" location="kk.kk.kk.kk:80"/>
</route>
* There is another component of my software that is under development is
to utilise the netfilter netlink socket to watch conntrack table, and
log all connection to a database, it's useful for security audit.
* The internal variables are stored in /var/run/netupdown/runtime.env so
other programs and scripts can read it easily, each state such as
.up_wanted or .up has a timestamp to remember the moment when it happened.
.Initialized=1203133517
i.br0.configured=1203133518
i.br0.dev=br0
i.br0.explicit=1
i.br0.hw_addr=00:0f:xx:xx:xx:xx
i.br0.up=1203133518
i.br0.up_wanted=1203133518
i.fpt1.configured=1203133596
i.fpt1.dev=ppp0
i.fpt1.explicit=1
i.fpt1.hw_addr=ppp0
i.fpt1.up=1203133596
i.fpt1.up_wanted=1203133575
i.eth0.busy=1203133518
i.eth0.configured=1203133517
i.eth0.dev=eth0
i.eth0.hw_addr=00:0f:xx:xx:xx:xx
i.eth0.up=1203133518
i.eth0.up_wanted=1203133517
i.tap1.configured=1203133553
i.tap1.dev=tap1
i.tap1.explicit=1
i.tap1.hw_addr=00:13:xx:xx:xx:xx
i.tap1.up=1203133553
i.tap1.up_wanted=1203133551
i.tap11.busy=br0
i.tap11.configured=1203133552
i.tap11.dev=tap11
i.tap11.hw_addr=00:ff:xx:xx:xx:xx
i.tap11.up=1203133552
i.tap11.up_wanted=1203133517
mr.default.working_group=1
n.FPT1.dns1=210.245.0.11
n.FPT1.dns2=210.245.86.11
n.FPT1.gw_addr=210.245.0.45
n.FPT1.interface_depend_on=1
n.FPT1.ip_addr=58.187.xx.xx
n.FPT1.mask=255.255.255.255
n.FPT1.mask_len=32
n.FPT1.network_addr=58.187.xx.xx/32
n.FPT1.route_list=FPT1;FPT1,dns
n.FPT1.up=1203133596
n.FPT1.up_wanted=1203133596
r.FPT1,dns.network_name=FPT1
r.FPT1,dns.to=210.245.0.11
r.FPT1,dns.up=1203133596
r.FPT1,dns.via=210.245.0.45
r.FPT1.network_name=FPT1
r.FPT1.up=1203133596
r.FPT1.up_wanted=1203133596
r.FPT1.via=210.245.0.45
After reading the brief overview of my software, please give me your
opinions:
1. What is the quality of idea (1 star to 5 star)
2. What is the quality of the source code (1 to 5)
3. Your other comments
I also attach the source code in this email so you can review it if
interested. It's not yet approved to release under an open source
license, but it's available for education/research/review usage.
Best regards,
Nam
PS: I have sent an email to this mailing list but it doesn't appear,
perhaps because of the attachment, so I post the links instead
http://routeskeeper.com/namnd/generalgateway/generalgateway_2.1.2_i386.deb
http://routeskeeper.com/namnd/generalgateway/generalgateway_2.1.2.tar.gz
Example of an "/etc/network/config.xml"
http://routeskeeper.com/namnd/generalgateway/config.xml
Reply to: