[ previous ] [ next ] [ threads ]
 
 From:  Peter Curran <peter at closeconsultants dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] The future
 Date:  Fri, 14 Oct 2005 19:48:58 +0100
> Our prototype doesn't offer the full m0n0wall functionality, but as a
> proof of concept the basics are certainly working.  We have a
> workable, useful Linux-based router running m0n0wall as the GUI.  And
> with the exception of stuff Linux just doesn't support, our method can
> with little effort be extended to do under Linux anything that
> m0n0wall can do on FreeBSD.
>
> Surprisingly, the diff against the m0n0 code is less than 100 lines.
>
> (The magic to allow all this isn't part of m0n0wall, and hence, isn't
> part of the 100 lines)
>

That sounds pretty interesting - I assume the 'magic' is pretty non-trivial?

>  - Regarding languages, we are happy with PHP.  Disk and RAM-wise,
> once you've taken the memory hit of the PHP interpreter, running the
> actual PHP page is very very low cost in terms of memory.  I believe
> the expressiveness, clarity and density of PHP is very good, and
> things such as the string handling make it much easier to write secure
> maintainable programs.  Michael Hanselmann suggested that PHP be
> retained because it's what makes m0n0 unique.  That's preserving PHP
> simply for uniqueness' sake.  I'd suggest a more practical way of
> looking at it:  m0n0 is uniquely customizable *because* it's written
> in PHP.  And an architectural update changes nothing about that
> compelling reason.
>
That is quite a good argument.

>  - As a communication mechanism between front ends and the back end,
> we are considering using XMLRPC.  Very light weight (lighter than
> SOAP), easy to debug and well supported, especially in PHP.
> Multi-language, cross platform, no problems.  While any RPC-using
> program tends to be complicated by the possibility of unreliable comms
> (maybe the server goes away!), things in the m0n0wall case are
> simplified somewhat by having the server and the client on the same
> machine.  The server can just be assumed to be there all the time. For
> the remainder of problems, PHP5's exceptions help keep code clear,
> while still handling problems gracefully.
>
I have limited experience of both SOAP and XMLRPC, but would prefer the latter 
because it is a bit more straightforward IMHO.

> My idea is to have the (minimal) webserver do two jobs.  The first is
> to listen to requests for UI pages from a browser to the web-based
> front end.  The second is to listen to XMLRPC requests from front
> ends, then spawn the PHP backend.  That way, we can get away with only
> having the back-end in memory when it's needed, while still
> permanently listening to XMLRPC and GUI requests (via the webserver).
> We may also add throttling to prevent simultaneous PHP backends, or do
> some sort of back-end "hang-around" mechanism.  (Marc Fargas' email
> said much the same thing).
>

I think you have a good idea here. 

It strikes me that ultimately most of the current m0n0 functionality is either 
producing a config file for a daemon to read, or making discrete calls to 
standard commands like ifconfig or route.  In reality, what is needed is a 
single interface to this mechanism - this need not be threaded or even 
multi-process.  My experience of hacking the m0n0 internals (which covers 
about 6 separate projects now) is a frustration with the level of hacking 
that has to be done in multiple places to integrate a new feature that 
touches the firewall, or the routing logic.

I certainly strongly support the idea of a layered approach - but I think that 
much of the PHP in the current GUI will have to be re-written as it normally 
directly mucks around with the config[] array.  The HTML stuff is probably 
OK, but for some files the PHP logic hidden behind the GUI is pretty large 
and complicated.

I think that separation of the front and back ends would be sooo much easier 
to work with, but a well specified interface would have to be documented and 
agreed.  I suspect that will take a while to do and can probably only be 
completed when a 2.0RC20 is available!

How does m0n0-on-LInux perform compared to the regular system?

Peter

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.