Re: [gentoo-dev] rfc: only the loopback interface should provide net

[William Hubbs <williamh@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2247 bytes --]

On Tue, Feb 07, 2012 at 09:39:14AM -0500, Ian Stakenvicius wrote:
> On 07/02/12 03:28 AM, Alexandre Rostovtsev wrote:
> > 
> > If I want to connect to pool.ntp.org to sync the system clock, or
> > to my company's vpn gateway for telecommuting, or to tor to encrypt
> > my traffic, or to a dynamic dns provider to update my machine's
> > record, I do not care in the least which interface I use.
> 
> This is not actually true.  You care, in that you want to be sure that
> the iface connects to the internet (or at least the network that said
> target sits on).
> 
> Many systems that have multiple interfaces have only some of them that
> route out to the rest of the world, and when depending on a generic
> 'net' that includes -all- of them, it's more likely that the, say,
> static private net iface will be configured (and therefore 'net'
> considered started) significantly before the one that can route to the
> internet, and therefore ntp-client's attempts at connecting to
> pool.ntp.org will fail.
> 
> I think that "Category 2" needs to be separated into "2a - any
> network", and "2b - any public network".  For instance, the service
> 'net' (for 2a) and service 'inet' (for 2b).  If this were the default
> case, then Cat.2 packages that by default want to connect to the
> internet could 'need inet', and then the user would only have to
> define which interfaces are included (or excluded) from satisfying 'inet'.

You mean cat 1 actually; cat 2 are the listeners, like sshd, which don't
care as long as some interface is active.

> The trick that I see here is that init.d scripts have to have their
> 'depends' set up in such a way that the services can be separated
> based on their need for public network or any network, so that the
> user doesn't have to mess with those.  By default I think it makes
> sense to keep both the 'net' and 'inet' pools the same (ie, all ifaces
> but net.lo*), but have a simple ability to separate interfaces from
> the 'public net' pool in rc.conf when they do not provide a public
> network connection.

If we add an internet pool, I would rather it start out with no
interfaces and have the user be required to add the interface(s) to it.

William


[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]