Network interface groups


1. Introduction

Provided modification gives you the possibility to assign a set of group numbers between 0 and 7 to each network interface in the system and to configure your networking services to be accessible on those groups of interfaces, as you like.

The linux patch implements this functionality (IPv4 only), while the net-tools (ifconfig) patch adds the ability to manage group numbers of each network interface.

Linux kernel patch:

Patch nameKernel version that patch can be applied to
patch_2.4.18_ifgrp_0.1 patch-2.4.18-ifgrp
linux-2.4.18
patch_2.6.0_test11_ifgrp_0.1 patch-2.6.0-test11-ifgrp
linux-2.6.0-test11

Net-tools patch (ifconfig):

Patch nameVersion of net-tools to apply this patch to
patch-net-tools-1.60-ifgrpnet-tools-1.60
To be able to build the patched ifconfig tool, you have to synchronise changes of linux headers if.h and sockios.h with coresponding libc headers (net/if.h and bits/ioctls.h - on my system).

2. How this works or How I think that this works?

This code extends the ability of a socket to accept packets on ANY of your network interfaces into the ability to accept packets on a selected group of network interfaces.

This goal was achived in a way, that an interface group mask number has been added to the net_device structure and another one to the inet_opt structure. When the received packet looks for its socket, the group mask of the associated network interface has to match the socket's group mask at least in one bit. This way a bind system call with the desired interface group number as its parameter (instead of an IP or INADDR_ANY), selects a group of interfaces that may provide packets on this socket.

By default all network interfaces belong only to group 0, as well as all sockets initialise its group mask to group 0.

You may change group mask of network interfaces while network services are running, using the patched ifconfig tool. For example, the result of changing the group mask number of an interface may be, that a network service stops accepting connections via this interface, while the existing connections remain operational until they are closed. The same way a network service may start accepting connections via the desired interface.

The good thing about this solution is, that the default behaviour of this extension should not make any significant difference (correct me if i'm wrong), because all network interfaces fall into group zero by default.

3. What is it good for?

Separating network services, moving services between interfaces, better security, ....???

4. To think about


Can we use this aproach on IPv6?
Do we need more than 8 groups?

Comments appreciated:)
Samo