Re: Interface description support

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Tue, Jun 25, 2019 at 10:43:32AM +0200, Michael van Elst wrote:
> On Tue, Jun 25, 2019 at 09:49:46AM +0200, Manuel Bouyer wrote:
> > On Mon, Jun 24, 2019 at 09:56:35PM -0000, Michael van Elst wrote:
> > > IMHO such functionality doesn't belong into the kernel, it's much easier
> > > to have a configuration syntax with variables or macros to achieve hte
> > > same.
> > 
> > Exept it would make it harder to use in e.g. packet filters.
> > The interface may not exist when the packet filter rule file is parsed
> > (e.g. in a Xen dom0)
> 
> For some packet filters that's not even a question as these are
> attached to specific interfaces. For new interfaces you need
> to load new rules and that can be handled in userland.
> 
> npf, working in the IP layer, needs to filter packets according to
> interface. That allows more complex matching in the kernel, which
> makes it easier to use. But is pushing complexity into the kernel
> the right thing?

I think so. or example, on a Xen dom0, you'd need to reload the
config file each time a virtual interface is created or destroyed.
That's what I do right now but is has lots of problems (including
xl timing out on domUs with lots of interfaces, because the machinery
to patch and reload the ipf config file takes too much time).
Using interface name aliases in the config file (and down to the kernel)
would solve this nicely.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--