umls3 reasoning

I'd like to start from the beginning. At the start was my infrastructure with a linux firewall (ip-tables) on a 486sx/20MB laptop and a personal fileserver with user-mode-linux guests. This guests have public ip-addresses. I wanted to have all firewalling done on the firewall computer (because otherwise the resulting configuration would become too complex, which is a security risk).

I decided to use uml_switch as user-mode-linux network adapter und extend the existing program uml_switch from Jeff Dike with a new network port type called udp-port. Then I have an uml_switch on the firewall with no user-mode-linux guests , but a tap-port to the real network and the new udp-port witch creates an vitual tunnel to an uml_switch instance on my fileserver with has (besides the socket for the user-mode-linux-guests) only the udp-port. So there is no direct network connection from the user-mode-linux-guest to my fileserver. If I did ping the user-mode-linux-guest from my fileserver the ping IP-packet went through the 10MBit wire to my firewall, entered through the internal eth1-interface, went through the firewall rules, left through the tap0-device went as udp-packet the same wire bak und finally reached the user-mode-linux guest.

There are other possibilites to achieve the same result, but for example with multicast transport I would have needed to write an multicast-tap bridge. The firewall itself is not enough powerful to execute an own user-mode-linux instance just for routing. Some people have some doubts about the security of the udp-port, here is my personal reasoning.

The result is the program called uml_switch2. It has a configuration file (not just command line options) and has an integrated mechanism to create tap devices without the need to use persistant tap devices (I find my solution much nicer than the program tunctl :-).

Next I had the idea to make my switch manageable, using a server daemon serving the different virtual switches (remember some of my user-mode-linux guests are internal test instances and one is the external webserver with a public ip-address; therefore there are two uml_switch2 instances running on my fileserver) and an client program.

And then I had the following idea: if there is a daemon that justs sits there, waits for signals and directs ethernet packet traffic, this program could also do some other useful work like starting and stopping user-mode-linux guests etc.

The result will be called umls3. It will be something like a stripped down umlazy, but written in the language C, and with an integrated uml_switch program.

If I continue to think, the next step will be to purge the uml_switch task from my umls3 program :-)