Use case: VPN client

Marcus Better marcus at better.se
Wed May 9 18:34:38 UTC 2007 

martin f krafft wrote:
> Fair enough, although I think this might be a job for the VPN
> client?

Yes, maybe. OpenSwan 3.x is supposed to get some functionality in this 
direction - dynamically discovering that interfaces go up and down etc. But I 
don't know if it will have the logic to decide if a connection should be 
brought up. That should be checked...

> I want to solve this with dependencies. vpn0 pre-depends on
> a default gateway, so try to configure network interfaces in
> a defined order until you get a connection.

An IPsec connection in Linux 2.6 is not a separate network interface (like it 
was in 2.4, or with the KLIPS module). But I guess it could be a virtual 
interface.

I'm not sure the dependency approach is optimal here though. For this to work, 
there has to be a decision to start the vpn0 "interface". In other words 
there must be an ultimate goal which starts a dependency resolution chain. 
This is not how it works in reality. A user should just plug in the network 
card, or move into a WiFi zone, and automatically the interface is brought 
up, wpa_supplicant does its thing, we get an IP address and some routes with 
DHCP, and finally the VPN connection is started. Or a local file server is 
launched etc.

Note that there is no probing of network interfaces in some order. Such an 
order may be hard to define ahead of time, since the list of possible network 
interfaces is not known. You should be able to plug in a completely new 
network card.

It may be instructive to read the comparison between Upstart and Initng [1] in 
this context.

> So upstart can run scripts when it receives events but it has no
> knowledge (yet) of network events?

Yes. For instance I have the following files (from upstathat wire ifupdown to 
upstart:

================
~$ cat /etc/network/if-up.d/upstart
#!/bin/sh

exec /sbin/initctl emit interface-up $IFACE

~$ cat /etc/network/if-down.d/upstart
#!/bin/sh

exec /sbin/initctl emit interface-down $IFACE
================

Then I have a script /etc/event.d/check-local-network which gets started on 
the interface-up event. It does some checks to see which network I'm 
connected to, and emits further "home-lan-connected", "office-lan-connected" 
and "inet-connected" events. Other scripts can trigger on those events. For 
instance "inet-connected" would start an IPsec tunnel unless we are between 
the "office-lan-connected" and "office-lan-disconnected" events.

(The latter rather complex specification seems not to be implemented in 
upstart yet, so I have a temporary hack with the same effect. It seems to 
work well in principle.)

> What exactly does upstart provide that you think would be stupid to
> reimplement?

*Event handling: which jobs are triggered by an event.
*Job state management: keep track of which jobs (services) are running.
*Specification of complex conditions for a job to be started, such as this 
[2]: "Or maybe we only want to be run if a network interface comes up before 
bind9 has been started:
  on network-interface-up and from startup until started bind9"

(All of this assumes that we want an event-based mechanism.)

Marcus

[1] http://www.netsplit.com/blog/articles/2006/08/26/upstart-in-universe
[2] http://www.netsplit.com/blog/articles/2006/12/14/upstart-0-3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/netconf-devel/attachments/20070509/e0c43e68/attachment-0001.pgp

More information about the netconf-devel mailing list