On Tuesday 04 February 2003 09:20 pm, Matt Schalit wrote:

>     *  Ok Ray.  I agree with you on the need for a simple file
>        of name=value pairs.
>
>     *  Ok Charles, I agree that the format shouldn't matter much,
>        and that XML has many advantages.

XML and nested directories are extremely nice and convient IF
you have a language that works well with it. How are you supposed
to parse it on the LEAF box??? I can gather the advantages on an
external pre-config, but I don't figure to write the back-end in C, perl,
or awk to run on the LEAF box itself. I really don't care how the
front-end (GUI/whatever) gets the information to the backend (*cfg),
I worry about how to parse the file(s) generated with the backend
regardless of whatever front-end is being used. I feel forced to 
assume that the file(s) generated by the pre-/post- config MUST be
compatible. If a 'tree' like proc is used, is there an example of 
a decent way to parse "unexpected" variables (from a new package)
with the shell or is someone volunteering to do this in C?

My opinion (at the moment) is that there is nothing simpler to parse than
a single file of variables..... especially if 'cut' would use whitespace as a
delimiter.  ;-)



> But it was pointed out to me that the XML database in Chad's idea
> was something to be kept seperate from LEAF and not stored on it.
> I think that the XML is used on seperate OS to configure the system.
> I think the idea of Chad's was to combine an XML config-db with a
> remote based gui and produce template-built runtime conf files
> that would be used on the LEAF.

I hate to say it, but it sounds like putting a pretty picture on what we
have now to some degree. Now, if it would generate a flat-db or 'tiny'
set of files, I could see the advantage.


> Proposed Solution:
> ==================
>     Can we merge the two ideas by making the master-db maybe XML
>     but also unleash sed on it to output a running config of
>     name=value pairs to a single file, /var/run/flat?
>
>
> If we do that, then you'd have your choice of using the api
> to access the XML db, or using /var/run/flat:
>
>   a)  If you use the api to change the xml, the api also updates
> /var/run/flat.
>
>   b)  If you hand edit /var/run/flat, you would run leafill which would
>       "refill" the XML db and trigger all dependant files to be reloaded.
>
>
> Sound good?
>
> It's merely an extra sed and an update.sh.  It may be worth it to
> have this redundancy.  Anyone concur?  It would mean a big XML
> or similar db stored on your leaf diskette and an api to handle it.


It does. Any guesses on the size of the code bloat? Size of 'leafill'?
I'm guessing ~x3-x4" for the combined option. Out of the packages
I'm auditing, only Shorewall sticks out as being a PITA to handle,
but I think Eric has a grasp on that one. Then again I assume there
will (or can be) several front-end options available. If a GUI was all
that was desired, most of us would be using Mosquito or BBIagent.
Just for kicks, someone run off a PacketFilter floppy and run it on
a router to the login prompt and give me an opinion...... I think there
is an incrediable value to a prompt script more times than not.



> > To be used with LEAF, packages typically require some modification
> > anyway. Why not adopt a "one-stop-shopping" standard for config
> > variables that makes them easily available to any package?
>
> I think we all concur on this, Ray.

OT, but the additions I would suggest for the packages would be
a $package.opt file that contains all variables in that package with
the default first and a $package.dep that contains non-base
dependant packages. This would work regardless of the db-format.



> > Then when
> > someone adapts a package, he or she at least has the option of having it
> > get its config info from a standard place in an easy fashion. What I
> > mean here is a single text file, with a simple name=value format, that
> > contains all the basic information needed by networking packages, in a
> > form that init and config scripts can use easily (like the old
> > network.conf, which used a format that allowed all entries to be loaded
> > as shell variables). The key to keeping this manageable is that it
> > contains nothing but
> >
> >         VARIABLE_NAME=value     lines
>
> Yes.
>
> >         #comment                        lines
>
> Yes.

That will be fine.... you can use the #descript as a package identifier or
a trigger of sorts. Just avoid using:
        VAR = value     #descript
....you'll end up with a unusual prompt when parsed.  ;-)


> >         and lines that do minor manipulation of VARIABLE_NAME lines
> >         (e.g., something like
> >         NETWORK_INTERNAL=$INTERFACE_INTERNAL/$NETMASK_INTERNAL
> >         )

This could be done just as easy in the existing *.conf file that we are
adding the variables into. I don't think it belongs in the db either. 


> I think we all concur.  Any variable that can be common
> to several packages gets put in the global section.

That is one of the primary reasons for a change.



> >> This is all about making a GUI configuration tool: Wrong.  Trying to
> >> make a simple web or other GUI configuration system simply points out
> >> the complexity and inconsistencies in the existing configuration
> >> system.  This is about *SIMPLIFYING* configuration, making it easier
> >> to configure and maintain a LEAF install.
>
> Charles, the GUI is goal 3. 
> The package system is goal 2.
> The central config system is goal 1.

Let's say that the GUI is to be the most considered option in goal 3.
There are any number of developers that would/write a different
non-GUI (optional) front-end to goal 3.


> > But it leaves one thing out ... an important way to simplify
> > the interface for configuration is to restrict the range of choices
> > available.
> >
> > LEAF tends to be pulled in two directions all the time --
> >
> >         simplicity, so that common uses of it can be configured easily
> > by relatively inexperienced users.
> >         flexibility, so that unusual uses of it are possible for
> > relatively skilled, experienced users.
> >
> > My interest has always been in the first direction, but the diversity of
> > our interests means that both directions need to be accommodated.
> > Perhaps, though, not in the same configuration system. A very simple but
> > restrictive configuration interface that supports (say) just three sorts
> > of NAT'd configuration --
> >
> >         modem dialup connections
> >         Ethernet external connections (including static, DHCP, and PPPoE
> > addressing)
> >         both of the above with and without a 3d interface for a DMZ

To start with and get something functional, yes. I think use of Charles'
'walklist ()' could feasibly expand the options here on a dynamic basis.



> What I think is a good idea, however, is a gui-based, drag
> and drop interface where you have a big outline of a computer,
> and you drag a couple of nic icons onto it.  Then you drag a
> clock icon onto it (ntpdate) and then you drag a firewall
> icon into the middle of it, and maybe some other objects.
> Then you are walked through configuring each one.
>
> It'd be easy enough, but I don't know if it could handle
> complex setups too easily without endless revisions to
> deal with new options.  It also requires a complete analysis
> of all possible network setups and the ability to create
> the necessary glue in .conf files.
>
> A gui is begining to sound unsimple :)

Why not a template page for 'add interface'? You could set
everything from this page: WAN/LAN/DMZ, ip info, dhcp, pppX,
allow, filter, module, bridge, proxy-arp, etc.....  It's conceivable with 
a db and thought out backend.



> > If we accept this limitation ... and if the automatic hardware detection
> > requirement really just means the ability to find the external and
> > internal NICs, not to auto-configure anything more exotic ... the
> > biggest problem I see is with older modules like ne.o that require a
> > specified iobase ... then we can look to the config systems of the
> > embedded routers for guidence about how to proceed. The other limitation
> > they consistently impose (on their Web-based config systems, anyway) is
> > that the LAN IP address of the router, and its network, are
> > pre-specified, at least for starting configuration. This presents both
> > costs and benefits.

PacketFilter auto-detects ethernet/ppp/pppoe connections on the first-boot
script. There might be something there to include.


> Autodetecting hardware is fun, but it has to be run
> on the LEAF box, and that's not necessary or always
> logistically feasable.

Let's say you just load every NIC module you can fit on the floppy.
Then do something like:

for i in /lib/modules/net/*
   do
   test=`lsmod $module | grep $module | sed -n "/1.$/p"`
   if  [ "$test" -eq "1" ]; then echo "MOD_$I = $module" >>/tmp/cfg.db
   ++i; ++I
   fi;
done

Food for thought anyway.
-- 
~Lynn Avants
Linux Embedded Firewall Project developer
http://leaf.sourceforge.net


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

_______________________________________________
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to