On Mon, Sep 25, 2017 at 11:40:26PM -0400, J. Bruce Fields wrote: > On Tue, Sep 26, 2017 at 12:08:07PM +1000, NeilBrown wrote: > > Rather than a flag, it might work to use network namespaces. > > Very early in the init sequence the filesystem gets mounted using the > > IPv6 link-local address on a client->host interface, and then a new > > network namespace is created which does not include that interface, and > > which everything else including firewall code runs in. Maybe. > > That seems closer, since it allows you to hide the interface from most > of the guest while letting some special software--qemu guest agent?-- > still work with it. That agent would also need to be the one to do the > mount, and would need to be able to make that mount usable to the rest > of the guest. On the other hand, you're not *really* hiding it--system software in the guest can certainly find the interface if it wants to. I don't know if that's likely to cause any trouble in practice. The same is true of VSOCK, I suppose. But VSOCK being designed specifically for host<->guest communications, anyone monkeying with it knows what they're doing and is responsible for the consequences, in a way which someone dealing with ordinary network interfaces and namespaces isn't. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
