From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ruoc2-0006XZ-SU for garchives@archives.gentoo.org; Tue, 07 Feb 2012 17:13:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 12289E074B; Tue, 7 Feb 2012 17:13:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C8580E072D for ; Tue, 7 Feb 2012 17:12:42 +0000 (UTC) Received: from [192.168.1.131] (CPE002401f30b73-CM001cea3ddad8.cpe.net.cable.rogers.com [99.224.72.201]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: axs) by smtp.gentoo.org (Postfix) with ESMTPSA id 1446B1B401E for ; Tue, 7 Feb 2012 17:12:41 +0000 (UTC) Message-ID: <4F315B84.7050706@gentoo.org> Date: Tue, 07 Feb 2012 12:12:36 -0500 From: Ian Stakenvicius User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111220 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: rfc: only the loopback interface should provide net References: <20120206210451.GA1940@linux1> <1328570113.8348.53.camel@rook> <20120207064348.GA3036@linux1> <1328603319.8348.81.camel@rook> <4F313792.7050502@gentoo.org> In-Reply-To: X-Enigmail-Version: 1.3.3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 2b7ee1c6-c346-4a9a-b3eb-f63d9cb40a05 X-Archives-Hash: 6febd24529314b9e55a6b0cc3ac1ef66 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/02/12 11:46 AM, Duncan wrote: > Ian Stakenvicius posted on Tue, 07 Feb 2012 09:39:14 -0500 as > excerpted: > >> I think that "Category 2" needs to be separated into "2a - any >> network", and "2b - any public network". For instance, the >> service 'net' (for 2a) and service 'inet' (for 2b). If this were >> the default case, then Cat.2 packages that by default want to >> connect to the internet could 'need inet', and then the user >> would only have to define which interfaces are included (or >> excluded) from satisfying 'inet'. >> >> The trick that I see here is that init.d scripts have to have >> their 'depends' set up in such a way that the services can be >> separated based on their need for public network or any network, >> so that the user doesn't have to mess with those. By default I >> think it makes sense to keep both the 'net' and 'inet' pools the >> same (ie, all ifaces but net.lo*), but have a simple ability to >> separate interfaces from the 'public net' pool in rc.conf when >> they do not provide a public network connection. > > This boils down to the suggestion I made earlier. Using current > terms: > > 1) Separate net.lo service for stuff that doesn't have to have an > external connection at all. > > 2) A default net (or net*) service that is is composed of all > non-net.lo services, with a default any-one-of-them policy. Two > reasons for this: > > 2a) It'll "just work" in the simple case. > > 2b) It's the easiest to automatically preconfigure without getting > into lots of "detect all the networks and magically figure out > whether they're lan-only or inet" hairballs. > > 3) Allow the user/admin to configure net1, net2... just like the > default net/net*, specifying individual interfaces for each as well > as whether one or all of the configured interfaces must be up for > the service to be provided. > > This way, a user/admin can provide narrower-than-all groupings as > necessary, including net.lo if it makes sense for them, tho the > defaults would be only one net.lo and the wildcard > default-any-one-of-anything- else. > Yes, it's very similar. The only thing that I'm not sure of under the above situation is how the depend in each init.d script would be defined by default, so that IF the 'net' pool doesn't match up with the 'inet' pool ('inet' would always be a subset of 'net'), then a user/admin could just specify the pool(s) in rc.conf, etc and NOT have to adjust the init scripts or assign specific ifaces/pools to each service via rc.conf. I do realize that there is a case that breaks pretty well every example, but this one (a 'net' and 'inet' pool, which defaults to being the same but can easily have an iface excluded) i think expands to cover a larger slice of cases. This would, of course, not keep the admin from doing #3 above, which iirc can be done now in rc.conf (please substitute 'inet' for 'publicnet' or whatever name makes more send to you) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iF4EAREIAAYFAk8xW4QACgkQAJxUfCtlWe0zigD+M2epQlQPH+w1+cjgJsACF8AG UggkmYgi5GjVxwmnxdEBAJwp0uMYnibnAEVLMibXcrvJq4ybsRBEMP5t4M9+cQm4 =aksR -----END PGP SIGNATURE-----