Re: [PATCH nfs-utils v2 05/12] getport: recognize "vsock" netid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jul 07, 2017 at 01:17:54PM +1000, NeilBrown wrote:
> On Fri, Jun 30 2017, Chuck Lever wrote:
> >
> > Wouldn't it be nicer if it worked like this:
> >
> > (guest)$ cat /etc/hosts
> > 129.0.0.2  localhyper
> > (guest)$ mount.nfs localhyper:/export /mnt
> >
> > And the result was a working NFS mount of the
> > local hypervisor, using whatever NFS version the
> > two both support, with no changes needed to the
> > NFS implementation or the understanding of the
> > system administrator?
> 
> Yes. Yes. Definitely Yes.
> Though I suspect you mean "127.0.0.2", not "129..."??
> 
> There must be some way to redirect TCP connections to some address
> transparently through to the vsock protocol.
> The "sshuttle" program does this to transparently forward TCP connections
> over an ssh connection.  Using a similar technique to forward
> connections over vsock shouldn't be hard.

Thanks for the sshuttle reference.  I've taken a look at it and the
underlying iptables extensions.

sshuttle does not have the ability to accept incoming connections but
that can be achieved by adding the IP to the loopback device.

Here is how bi-directional TCP connections can be tunnelled without
network interfaces:

  host           <-> vsock transport <-> guest
  129.0.0.2 (lo)                         129.0.0.2 (lo)
  129.0.0.3 (lo)                         129.0.0.3 (lo)

iptables REDIRECT is used to catch 129.0.0.2->.3 connections on the host
and 129.0.0.3->.2 connections in the guest.  A "connect" command is then
sent across the tunnel to establish a new TCP connection on the other
side.

Note that this isn't NAT since both sides see the correct IP addresses.

Unlike using a network interface (even tun/tap) this tunnelling approach
is restricted to TCP connections.  It doesn't have UDP, etc.

Issues:

1. Adding IPs to dev lo has side effects.  For example, firewall rules
   on dev lo will affect the traffic.  This alone probably prevents the
   approach from working without conflicts on existing guests.

2. Is there a safe address range to use?  Using IPv6 link-local
   addresses as suggested in this thread might work, especially when
   using an OUI so we can be sure there are no address collisions.

3. Performance has already been mentioned since a userspace process
   tunnels from loopback TCP to the vsock transport.  splice(2) can
   probably be used.

Stefan

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux