Re: Common place to keep subnet address/size information?
On Fri, Apr 27, 2007 at 01:20:02PM +0200, Petter Reinholdtsen wrote: > [Pierre Habouzit] > > It's not doable, because the POSIX getnetent answers in a struct > > getent that cannot store the netmask, a simple getnetent(3) has the > > answer. And that's the reason why it can only store A/B/C class > > networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0 > > is assumed to be a wildcard, hence a network group. > > > > So well, you can try to fight against POSIX, some tried, we don't have > > any news from them since :) > > Sure, I am aware that the POSIX definitions need to change for this to > work. And I suspect it is a good idea, as the current netent family > of functions are useless for most settings, at least here at the > university where most networks are not /8, /16 nor /24. :) Well, you won't change API's old like that, you can add new ones, but don't count on that IMHO :) > Do you have any information about the previous tries? I guess a > defect report to the Austin group is a good place to start. That was just a joke. > Did anyone submit such report yet? > > > I know it's not *exactly* what you wanted, but afaict hosts.* are > > way more flexible. Iptables could also help to achieve similar > > purposes in a more generic way. > > This is in fact a very good idea, as it is a lot easier to implement. > Thank you! You're welcome. -- ·O· Pierre Habouzit ··O[EMAIL PROTECTED] OOOhttp://www.madism.org pgpKrX9kjioFT.pgp Description: PGP signature
Re: Common place to keep subnet address/size information?
[Pierre Habouzit] > It's not doable, because the POSIX getnetent answers in a struct > getent that cannot store the netmask, a simple getnetent(3) has the > answer. And that's the reason why it can only store A/B/C class > networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0 > is assumed to be a wildcard, hence a network group. > > So well, you can try to fight against POSIX, some tried, we don't have > any news from them since :) Sure, I am aware that the POSIX definitions need to change for this to work. And I suspect it is a good idea, as the current netent family of functions are useless for most settings, at least here at the university where most networks are not /8, /16 nor /24. :) Do you have any information about the previous tries? I guess a defect report to the Austin group is a good place to start. Did anyone submit such report yet? > I know it's not *exactly* what you wanted, but afaict hosts.* are > way more flexible. Iptables could also help to achieve similar > purposes in a more generic way. This is in fact a very good idea, as it is a lot easier to implement. Thank you! Friendly, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Common place to keep subnet address/size information?
On Fri, Apr 27, 2007 at 10:27:23AM +0200, Petter Reinholdtsen wrote: > > In Debian Edu, we provide a out of the box pre-configured network > solution for schools. We hard code the IP subnet used, to be able to > configure all the services we want to have working out of the box. We > want to avoid hard coding the IP addresses and IP subnet, but found no > other way to get it working. This email document an idea on how to > avoid this hard coding. > > At the moment, very few services need subnet information. It is > squid, sysklogd, cfengine (cfservd), dhcpd and bind. The first three > need to have a subnet access limit, and we currently hardcode it to > 10.0.2.0/255.255.254.0 or 10.0.2.0/23, depending on the supported > notation. It would be better if we could use a symbolic name, and > store the subnet IP address in a common location, thus making it > easier to change the IP subnet used. > > One obvious solution would be to use /etc/networks, and rewrite squid, > sysklogd and cfservd to use information in this file. The problem is > only that getnetent() and friends only support the classic A, B and C > subnets, aka /8, /16 and /24. Would it be possible to extend > /etc/networks to support any subnet size? I guess the easiest way to > do this would be to extend the 'number' part of the file to support > the slash notation. It should be backwards compatible, as the > original POSIX notation only allow digits and dots in this field. > > Is this a good idea? How would glibc have to change to handle this? It's not doable, because the POSIX getnetent answers in a struct getent that cannot store the netmask, a simple getnetent(3) has the answer. And that's the reason why it can only store A/B/C class networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0 is assumed to be a wildcard, hence a network group. So well, you can try to fight against POSIX, some tried, we don't have any news from them since :) > Are there any other options available for us to avoid hard coding IP > subnet information in the squid, sysklogd and cfservd configuration > files? Well, don't all those daemons use /etc/hosts.{allow,deny} ? I know it's not *exactly* what you wanted, but afaict hosts.* are way more flexible. Iptables could also help to achieve similar purposes in a more generic way. -- ·O· Pierre Habouzit ··O[EMAIL PROTECTED] OOOhttp://www.madism.org pgpKsTQekvOtD.pgp Description: PGP signature