Setting up a Linux gateway/router, a guide for non network admins

Setting up a Linux GW or router is not as hard as it may seem, as long as you are reading a friendly enough guide. Yes, there are a lot of guides for this, but since I needed to document how I did it, I might as well write a post about it here. My addition to the usual “setting up a linux gw guide”: I’ll do it using Virtualbox first, so I can test my setup before actually deploying it.

I’m going to write about how can you setup a regular Linux distro to be your border router/gateway for your LAN, but for easy of use I’ll base my examples on Ubuntu.

As expected, if we are going to replace a device, say, a router, we need to replace it with something that can provide the same functionality. In this case, we have chosen a Linux server, so we need to figure out which services are provided by the router and then emulate them someway:

  • DHCP to manage leases
  • DNS to translate domains to IPs
  • NAT, to multiplex a single connection
  • Service forwarding, to expose internal services to an external network

Luckily Linux supports all of these:

  • ISC for DHCP
  • bind9 for DNS
  • iptables for NAT
  • iptables again, for service forwarding

We’ll be setting up each of these services in the next posts, for now:

Preliminary work, the hardware setup

Before you setup any services, you are going to need two things: first two network cards, one for the outgoing connection and another one for the (switched) LAN, and a way of telling your server that you want all traffic from network 1 forwarded to network 2. You may want to install more than two cards, in case you need to route several LANs. We’ll see that later.

You will also need an OS. I have chosen Ubuntu because it’s very simple to install, and has all the software we need available in the repositories, but you can use any other distribution if it suits your needs.

Also, throughout this guide I will assume a setup like this:

  • WAN access through eth0, DHCP address
  • LAN routing in eth1, network

If you don’t have all this hardware…

Not everyone may have two spare desktops with three NICs ready for testing. Even if you do, you may be too lazy to setup the physical part of your network. If this is your case, you can also setup a virtual machine to emulate your setup, and Virtualbox is great for the task:

  1. Begin by creating what will be your router VM.
  2. Enable the first network adapter. This one should be able to see your physycal router (i.e. connect to a WAN).
  3. Enable a second network adapter. Use the ‘Internal network’ option in the ‘Attached to’ field. This will be your LAN interface.
  4. Create a second VM. This one will be your client.
  5. Enable a single network adapter, attached to an internal network as well. The name for this network should match that of the other VM.

You are all set now, with this virtual setup you can begin setting up your router. We’ll see how next time.


C preprocessor VI: Recursive macro expansion rules

What happens if you define a recursive macro? This might seem like a silly question, but by asking it we can gain some insight on the inner working of the preprocessor.

Let’s start with a simple example:

#define foo bar 1
#define bar foo 2

Luckily the preprocessor is smart enough not to trip up on this simple piece of code. When expanding foo on line three it will do something like this:

#define foo bar
#define bar foo
// Applies foo -> bar 1
bar 1
// Applies bar -> foo 2
foo 2 1
// Scans foo again... but doesn't expand it

The second time the preprocessor scans foo it won’t expand it: it “knows” foo was already expanded, so it won’t do it again. But how does it know that foo was already expanded? Let’s try something a bit more complicated:

#define foo bar a baz b
#define bar foo 1
#define baz bar 2

And then let’s see how foo is expanded, step by step:

#define foo foo a bar b baz c
#define bar foo 1
#define baz bar 2

First the rule “foo -> foo a bar b baz c” will be applied and the results rescanned: let’s call this scope 1. We’ll end up with:

foo a bar b baz c

Now the results of this expansion will be scanned, in a new scope. Let’s call it scope 2. The first token the preporcessor will see is “foo”, which was already expanded on scope 1: it will be ignored and it will continue to the next expandable token, “bar”, and it will expand it like this:

foo a foo 1 b bar 2 c

On the scope that baz’s expansion creates (scope 4), the parent’s scope expansion rules are “inherited”, so for scope 4 “foo” was already expanded but “bar” was not, because bar’s expansion happened on scope 3 and scope 3 is not scope’s 4 parent. Not following me? Try following this diagram:

foo -> foo a bar b baz c
    foo -> already expanded, ignore
    a   -> not a macro, ignore
    bar -> expand to "foo 1"
        foo -> expanded at parent scope, ignore
        1   -> not a macro, ignore
    b   -> not a macro, ignore
    baz -> expand to "bar 2"
        bar -> expand to "foo 1"
            foo -> already expanded at parent scope, ignore
            1   -> not a macro, ignore
        2   -> not a macro, ignore
    c   -> not a macro, ignore

Hopefully the preprocessor expansion rules should be a bit more clear now: each expansion creates a scope, each scope inherits from parent’s scopes whether a rule was applied or not and if it was then said rule is ignored in the current scope.

Of course these rules get more complicated when dealing with token pasting and stringifying operators, because each phase (stringifying, token pasting, rescanning and expansion) will happen in a specific order. Things get even more complicated when you realize (by reading the standard) that said order is not the same when you deal with argument replacement.

Then again, it’s probably a good idea if your macros don’t rely on the recursive expansion rules of the preprocessor.

Vim tip: Jump to a tag definition

I admit it, hitting control enter to jump to a definition is a very useful feature of fancy GUIs. Fortunately, it’s not exclusive to fancy GUIs, apparently it’s been available using ctags too for a little while (if you consider the last 20 or 30 years to be little, that is).

Just add this magic spell to your .vimrc; next time you open a file in a project with a tags file generated just press ctrl-enter with your cursor over the definition you wish to find:

map <C-CR> :tab split<CR>:exec("tag ".expand("<cword>"))<CR>

C preprocessor V: Conditionals

While walking around the c preprocessor we came to know the stringify operator, the crazy token pasting operator and a __VA_ARGS__ macro. All very weird, but at least the #if’s work in a sane way… or do they? They do, but there’s some room for unexpected behavior if you don’t know some implementation details. Take this code for example:

#if 0
#  if 0
#  else
#  elif true
#  endif

Clearly the inner if is wrong because the else clause comes before the elseif, however you might think it doesn’t matter because it’s surrounded by an #if 0. Surprise: it does matter, that’s not valid preprocessor input. Even if the outer #if is not “taken”, whatever preprocessing directives are inside it should still be valid (though anything that’s not a preprocessing directive will indeed be ignored).

Even though at first it might seem weird for things inside an #if 0 to be important, it makes sense if you think that should an internal #if not respect the proper structure then the preprocessor wouldn’t know when to end the first #if 0. Then again, if you find any real-world utility to this bit of preprocessor implementation trivia, you are doing something horribly wrong!

Vim tip: open file under cursor

If you have a bunch of #include’s you don’t need to manually type their path when you need to edit one of them; just place your cursor on top of the written path and remember these helpful commands:

gf	 open in the same window ("goto file")
f	 open in a new window (Ctrl-w f)
gf	 open in a new tab (Ctrl-w gf)

C preprocessor IV: VA Args

And things just got even more awesome in our preprocessor series: if just passing a known number of parameters is not cool enough for you you can use a variable number of arguments on a macro definition too. This is very useful to implement printf style debug macros which get replaced by no tokens on a release build. Or to make debugging a bit more complicated, your choice.

#define DEBUG(fmt, ...) printf(fmt, __VA_ARGS__);

Combining this with stringify will provide you hours of fun. Combining this with token pasting… well, that’s just evil.

Stopping commits on git

Who hasn’t commited debug code by mistake? It’s only normal to forget to remove an #include we added only to test some stuff. Luckily it’s easy to tell git that we don’t want to commit any changes with a certain string.

On any (git) repo you’ll find a .git/hooks folder; add this script in .git/hooks/pre-commit (and don’t forget to chmod +x it):


if [ 0 != `git diff | grep "STOPCOMMIT" | wc -l` ]; then
    echo "Error: STOPCOMMIT found, remove it before commiting";
    git diff
    exit 1

Now git will check your commits and stop them if they contain the STOPCOMMIT string. Now you can add all the debug changes you want, as long as you add a //STOPCOMMIT after them you’ll never end up commiting them by mistake.

C preprocessor III: Token pasting

A stringify operator is good but the token pasting operator goes off the awesomeness chart (if you’re working on an ioccc entry, that is). Actually, what token pasting does is conceptually simple: it will paste together two tokens to form a new one. So, for example, PASTE(foo, bar) would result in the “foobar” token. Looks simple enough, doesn’t it? The token pasting operator is invoked via ‘##’. For example:

#define PASTE(x, y) x ## y
#define FOOBAR 42
int main() { return PASTE(FOO, BAR); }

The previous code would just return 42. So what’s the usefulness of a paste operator? Other than obfuscating stuff, you can use it to create classes with similar interfaces but different method names (I’m not saying it’s a good idea, I’m saying you can). For example:

#define MAKE_GET_SET(x, T) \
               void set_ ## x (T o) { this->x = o; } \
               T get_ ## x () { return this->x; }
class Foo {
  MAKE_GET_SET(foo, int);

The token pasting operator doesn’t have the limitation of being applicable only to a macro parameter, so code like “12 ## 34” is a perfectly valid operation which results in “1234”. It does have a catch: if the resulting token is not valid the behavior is undefined. This means that, for example, pasting “12” and “foo” together produces “12foo”, which is not a valid token. Being the operation undefined means that a compiler might reject this operation (I’m pretty sure gcc does) or that it might do a completely different thing (it could choose to ignore the token pasting operator and it would still be standard compliant).
Nasal demons FTW!