From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.com>
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
Chuck Lever <chuck.lever@oracle.com>,
Steven Whitehouse <swhiteho@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Steve Dickson <SteveD@redhat.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
Matt Benjamin <mbenjami@redhat.com>,
Jeff Layton <jlayton@redhat.com>,
Justin Mitchell <jumitche@redhat.com>
Subject: Re: [PATCH nfs-utils v3 00/14] add NFS over AF_VSOCK support
Date: Mon, 25 Sep 2017 23:40:26 -0400 [thread overview]
Message-ID: <20170926034026.GA19283@fieldses.org> (raw)
In-Reply-To: <87efqu6wl4.fsf@notabene.neil.brown.name>
On Tue, Sep 26, 2017 at 12:08:07PM +1000, NeilBrown wrote:
> On Fri, Sep 22 2017, Daniel P. Berrange wrote:
> > This just isn't practical in the general case. Even on a single Linux OS
> > distro there are multiple ways to manage firewalls (Fedora as a static
> > init script, or firewalld, and many users invent their own personal way
> > of doing it). There are countless other OS, many closed source with 3rd
> > party firewall products in use. And then there are the firewall policies
> > defined by organization's IT departments that mandate particular ways of
> > doing things with layers of approval to go through to get changes made.
> >
> > IOW, while improving firewall configuraiton is a worthy goal, it isn't
> > a substitute for host<->guest file system sharing over a non-network
> > based transport.
>
> I don't find this argument at all convincing.
>
> The main selling point for VSOCK seems to be that it bypassed all
> firewalls. i.e. traffic through a VSOCK is immune to any netfilter
> settings.
>
> If "traffic immune to any netfilter settings" is a useful thing (and I'm
> quite willing to believe that it is), then let's focus on that goal. It
> might be useful well beyond NFS and VMs.
>
> How about a flag for a network interface which says "disable netfilter"??
Sounds like network configuration tools in general are a problem, so
it'd probably need to disable more than just netfilter.
But if iptable configuration and other operations start failing or
behaving strangely on one special interface, I'd worry that stuff will
break.
So I think you'd really want the interface completely hidden.
Except that you still want to configure the interface yourself using the
usual interfaces. So:
> Rather than a flag, it might work to use network namespaces.
> Very early in the init sequence the filesystem gets mounted using the
> IPv6 link-local address on a client->host interface, and then a new
> network namespace is created which does not include that interface, and
> which everything else including firewall code runs in. Maybe.
That seems closer, since it allows you to hide the interface from most
of the guest while letting some special software--qemu guest agent?--
still work with it. That agent would also need to be the one to do the
mount, and would need to be able to make that mount usable to the rest
of the guest.
Sounds doable to me?
There's still the problem of the paranoid security bureaucracy.
It should be pretty easy to demonstrate that the host only allows
point-to-point traffic on these interfaces. I'd hope that that, plus
the appeal of the feature, would be enough to win out in the end. This
is not a class of problem that I have experience dealing with, though!
--b.
next prev parent reply other threads:[~2017-09-26 3:40 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-13 10:26 [PATCH nfs-utils v3 00/14] add NFS over AF_VSOCK support Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 01/14] mount: don't use IPPROTO_UDP for address resolution Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 02/14] nfs-utils: add vsock.h Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 03/14] nfs-utils: add AF_VSOCK support to sockaddr.h Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 04/14] mount: present AF_VSOCK addresses Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 05/14] mount: accept AF_VSOCK in nfs_verify_family() Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 06/14] mount: generate AF_VSOCK clientaddr Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 07/14] getport: recognize "vsock" netid Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 08/14] mount: AF_VSOCK address parsing Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 09/14] exportfs: introduce host_freeaddrinfo() Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 10/14] exportfs: add AF_VSOCK address parsing and printing Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 11/14] exportfs: add AF_VSOCK support to set_addrlist() Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 12/14] exportfs: add support for "vsock:" exports(5) syntax Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 13/14] nfsd: add --vsock (-v) option to nfsd Stefan Hajnoczi
2017-09-13 10:26 ` [PATCH nfs-utils v3 14/14] tests: add "vsock:" exports(5) test case Stefan Hajnoczi
2017-09-13 16:21 ` [PATCH nfs-utils v3 00/14] add NFS over AF_VSOCK support Christoph Hellwig
2017-09-13 18:18 ` [nfsv4] " David Noveck
2017-09-13 18:21 ` Chuck Lever
2017-09-15 11:52 ` Stefan Hajnoczi
2017-09-13 22:39 ` NeilBrown
2017-09-14 15:39 ` Steve Dickson
2017-09-14 15:55 ` Steve Dickson
2017-09-14 17:37 ` J . Bruce Fields
2017-09-15 11:07 ` Jeff Layton
2017-09-15 15:17 ` J . Bruce Fields
2017-09-15 23:29 ` NeilBrown
2017-09-16 14:55 ` J . Bruce Fields
2017-09-15 13:12 ` Stefan Hajnoczi
2017-09-15 13:31 ` J . Bruce Fields
2017-09-15 13:59 ` Chuck Lever
2017-09-15 16:42 ` J. Bruce Fields
2017-09-16 15:55 ` Chuck Lever
2017-09-18 18:09 ` Stefan Hajnoczi
2017-09-19 9:31 ` Daniel P. Berrange
2017-09-19 14:35 ` Chuck Lever
2017-09-19 15:10 ` Daniel P. Berrange
2017-09-19 15:48 ` Chuck Lever
2017-09-19 16:44 ` Daniel P. Berrange
2017-09-19 17:24 ` J. Bruce Fields
2017-09-21 17:00 ` Stefan Hajnoczi
2017-09-22 9:55 ` Steven Whitehouse
2017-09-22 11:32 ` Jeff Layton
2017-09-22 12:08 ` Matt Benjamin
2017-09-22 12:26 ` Jeff Layton
2017-09-22 15:28 ` Stefan Hajnoczi
2017-09-22 16:23 ` Daniel P. Berrange
2017-09-22 18:31 ` Chuck Lever
2017-09-25 8:14 ` Daniel P. Berrange
2017-09-25 10:31 ` Chuck Lever
2017-09-22 11:43 ` Chuck Lever
2017-09-22 11:55 ` Daniel P. Berrange
2017-09-22 12:00 ` Chuck Lever
2017-09-22 12:10 ` Daniel P. Berrange
2017-09-22 19:14 ` J. Bruce Fields
2017-09-25 8:30 ` Daniel P. Berrange
2017-09-26 2:08 ` NeilBrown
2017-09-26 3:40 ` J. Bruce Fields [this message]
2017-09-26 10:56 ` Stefan Hajnoczi
2017-09-26 11:07 ` Daniel P. Berrange
2017-09-26 18:32 ` J. Bruce Fields
2017-09-27 0:45 ` NeilBrown
2017-09-27 13:05 ` Stefan Hajnoczi
2017-09-27 22:21 ` NeilBrown
2017-09-28 10:44 ` Stefan Hajnoczi
2017-09-27 13:35 ` J. Bruce Fields
2017-09-27 22:25 ` NeilBrown
2017-09-26 13:39 ` J. Bruce Fields
2017-09-26 13:42 ` J. Bruce Fields
2017-09-27 12:22 ` Stefan Hajnoczi
2017-09-27 13:46 ` J. Bruce Fields
2017-09-28 10:34 ` Stefan Hajnoczi
2017-09-19 17:37 ` Stefan Hajnoczi
2017-09-19 19:56 ` Chuck Lever
2017-09-19 20:42 ` J. Bruce Fields
2017-09-19 21:09 ` Chuck Lever
2017-09-20 13:16 ` J. Bruce Fields
2017-09-20 14:40 ` Chuck Lever
2017-09-20 14:45 ` J. Bruce Fields
2017-09-20 14:59 ` Chuck Lever
2017-09-20 15:25 ` Frank Filz
2017-09-20 18:17 ` Trond Myklebust
2017-09-20 18:34 ` bfields
2017-09-20 18:38 ` Trond Myklebust
2017-09-21 16:20 ` Stefan Hajnoczi
2017-09-20 14:58 ` Daniel P. Berrange
2017-09-20 16:39 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170926034026.GA19283@fieldses.org \
--to=bfields@fieldses.org \
--cc=SteveD@redhat.com \
--cc=berrange@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=jlayton@redhat.com \
--cc=jumitche@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=mbenjami@redhat.com \
--cc=neilb@suse.com \
--cc=stefanha@redhat.com \
--cc=swhiteho@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).