Re: Common place to keep subnet address/size information?
On Fri, Apr 27, 2007 at 01:20:02PM +0200, Petter Reinholdtsen wrote: > [Pierre Habouzit] > > It's not doable, because the POSIX getnetent answers in a struct > > getent that cannot store the netmask, a simple getnetent(3) has the > > answer. And that's the reason why it can only store A/B/C class > > networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0 > > is assumed to be a wildcard, hence a network group. > > > > So well, you can try to fight against POSIX, some tried, we don't have > > any news from them since :) > > Sure, I am aware that the POSIX definitions need to change for this to > work. And I suspect it is a good idea, as the current netent family > of functions are useless for most settings, at least here at the > university where most networks are not /8, /16 nor /24. :) Well, you won't change API's old like that, you can add new ones, but don't count on that IMHO :) > Do you have any information about the previous tries? I guess a > defect report to the Austin group is a good place to start. That was just a joke. > Did anyone submit such report yet? > > > I know it's not *exactly* what you wanted, but afaict hosts.* are > > way more flexible. Iptables could also help to achieve similar > > purposes in a more generic way. > > This is in fact a very good idea, as it is a lot easier to implement. > Thank you! You're welcome. -- ·O· Pierre Habouzit ··O[EMAIL PROTECTED] OOOhttp://www.madism.org pgpKrX9kjioFT.pgp Description: PGP signature
Re: Common place to keep subnet address/size information?
[Pierre Habouzit] > It's not doable, because the POSIX getnetent answers in a struct > getent that cannot store the netmask, a simple getnetent(3) has the > answer. And that's the reason why it can only store A/B/C class > networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0 > is assumed to be a wildcard, hence a network group. > > So well, you can try to fight against POSIX, some tried, we don't have > any news from them since :) Sure, I am aware that the POSIX definitions need to change for this to work. And I suspect it is a good idea, as the current netent family of functions are useless for most settings, at least here at the university where most networks are not /8, /16 nor /24. :) Do you have any information about the previous tries? I guess a defect report to the Austin group is a good place to start. Did anyone submit such report yet? > I know it's not *exactly* what you wanted, but afaict hosts.* are > way more flexible. Iptables could also help to achieve similar > purposes in a more generic way. This is in fact a very good idea, as it is a lot easier to implement. Thank you! Friendly, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Common place to keep subnet address/size information?
On Fri, Apr 27, 2007 at 10:27:23AM +0200, Petter Reinholdtsen wrote:
>
> In Debian Edu, we provide a out of the box pre-configured network
> solution for schools. We hard code the IP subnet used, to be able to
> configure all the services we want to have working out of the box. We
> want to avoid hard coding the IP addresses and IP subnet, but found no
> other way to get it working. This email document an idea on how to
> avoid this hard coding.
>
> At the moment, very few services need subnet information. It is
> squid, sysklogd, cfengine (cfservd), dhcpd and bind. The first three
> need to have a subnet access limit, and we currently hardcode it to
> 10.0.2.0/255.255.254.0 or 10.0.2.0/23, depending on the supported
> notation. It would be better if we could use a symbolic name, and
> store the subnet IP address in a common location, thus making it
> easier to change the IP subnet used.
>
> One obvious solution would be to use /etc/networks, and rewrite squid,
> sysklogd and cfservd to use information in this file. The problem is
> only that getnetent() and friends only support the classic A, B and C
> subnets, aka /8, /16 and /24. Would it be possible to extend
> /etc/networks to support any subnet size? I guess the easiest way to
> do this would be to extend the 'number' part of the file to support
> the slash notation. It should be backwards compatible, as the
> original POSIX notation only allow digits and dots in this field.
>
> Is this a good idea? How would glibc have to change to handle this?
It's not doable, because the POSIX getnetent answers in a struct
getent that cannot store the netmask, a simple getnetent(3) has the
answer. And that's the reason why it can only store A/B/C class
networks, because in 128.12.0.0/16 is in fact stored as 128.12.0.0 and 0
is assumed to be a wildcard, hence a network group.
So well, you can try to fight against POSIX, some tried, we don't have
any news from them since :)
> Are there any other options available for us to avoid hard coding IP
> subnet information in the squid, sysklogd and cfservd configuration
> files?
Well, don't all those daemons use /etc/hosts.{allow,deny} ?
I know it's not *exactly* what you wanted, but afaict hosts.* are way
more flexible. Iptables could also help to achieve similar purposes in a
more generic way.
--
·O· Pierre Habouzit
··O[EMAIL PROTECTED]
OOOhttp://www.madism.org
pgpKsTQekvOtD.pgp
Description: PGP signature
