Skip to main content

Some kernel hacking

After some time I needed to do some kernel coding again. To seamlessly support dynamically created interfaces in Zorp, we need something I called "interface groups".

Each interface might belong to a single group that basically describes how the interface was created. For instance there's an interface group for each PPP profile, but an interface group can encapsulate interfaces created by PPTPD.

It is quite difficult to match dynamic interfaces by their nature: iptables sports wildcard interface name matching with the '+' character but it only works if interface names have some kind of prefix _AND_ if you don't want to differentiate between two groups.

If you have two sets of PPP devices (like in the example I described above), then you have no way to create a separate ruleset, unless you reload iptables everytime a new interface is added to the system.

Adding to the burden, in Zorp we want to be able to bind a service to these dynamically created interfaces, of course without listing the actual IP address in the configuration file.

The idea is simple, I added an "interface group ID" to the net_device struct, and an option to the "ip link" command to set/query this ID. Once an interface is created by some kind of program (for instance pppd), a script is executed in its /etc/ppp/ip-up.d directory and userspace can assign a group ID based on the PPP profile name. Then Zorp gets notified about the change through NETLINK and can react by binding to the IP address of the new interface. The configuration remains static, no reloading needs to be done when such a change happens, and you can create firewall policies for something like: please allow this set of services for everyone using this PPP profile, without entering one specific IP address to the configuration. Neat, eh?

I posted my work on netdev and netfilter-devel, I'm curious what the kernel maintainers will think about it.

Comments

Anonymous said…
Good Idea. Sounds cool.

Popular posts from this blog

syslog-ng fun with performance

I like christmas for a number of reasons: in addition to the traditional "meet and have fun with your family", eat lots of delicious food and so on, I like it because this is the season of the year when I have some time to do whatever I feel like. This year I felt like doing some syslog-ng performance analysis. After reading Ulrich Deppert's series about stuff "What every programmer should know about memory" on LWN, I thought I'm more than prepared to improve syslog-ng performance. Before going any further, I'd recommend this reading to any programmer, it's a bit long but every second reading it is worth it. As you need to measure performance in order to improve it, I wrote a tool called "loggen". This program generates messages messages at a user-specifyable rate. Apart from the git repository you can get this tool from the latest syslog-ng snapshots. Loggen supports TCP, UDP and UNIX domain sockets, so really almost everything can be me...

syslog-ng contributions redefined

syslog-ng has been around for about 12 years now, but I think the biggest change in the project's life is imminent: with the upcoming release of syslog-ng OSE 3.2, syslog-ng will become an independent entity. Until now, syslog-ng was primarily maintained & developed by BalaBit, copyrights needed to be reassigned in order to grant BalaBit special privileges. BalaBit used her privileges to create a dual-licensed fork of syslog-ng, named "syslog-ng Premium Edition". The value we offer over the Open Source Edition of syslog-ng are things that larger enterprises require: support on a large number of UNIX platforms (27 as of 3.1), smaller and larger feature differences (like the encrypted/digitally signed logfile feature) better test coverage and release management longer term support Although perfectly legal, this business model was not welcome in various Free Software communities, and has caused friction and harm, because BalaBit has enjoyed a privilege that no others cou...

An introduction to db-parser()

As promised on the mailing list here comes a short description of the new db-parser functionality of syslog-ng. For an introduction to parsers in general see my previous blog post here . The aim for db-parser is two-fold: extract interesting information from a log message attach tags to a log message for later classification. For instance here's a log sample (lines broken for readability): Feb 24 11:55:22 bzorp sshd[4376]: Accepted password for bazsi \ from 10.50.0.247 port 42156 ssh2 This message states that a user named "bazsi" has logged into the host named "bzorp" using SSH2 from the quoted IP and port. When you read this message as a human, the event that happened is perfectly clear. However if it is not a human, but a piece of software that has to make out the meaning of the message, you need to identify the event (e.g. that a user login has happened) and the additional information associated with the event (e.g. that he used 10.50.0.247 as the cl...