From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 72A165A026F for ; Mon, 18 Sep 2023 06:17:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1695010660; bh=SrxjD9bNCa/fmpZKwMt+wIGeGHsJIpaL2+Hk94zmASE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iE3o6+/LK0SJRdNps2KFyPtN8Ib4MIFOm7HfM0IiLWwht2VrCZrWiJCbwLU7AI6hU hD/yVw2vHd/3fj2/A3YuAKj0yjl3sSgMwl1wr3l/vb2tEdDd/mCtzUHyIEHC4Tk6t8 OQzevRYqAnqvjP8fhK0LSGBRfDsB1YAVRB76SBaA= Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Rps2r4vvKz4x3k; Mon, 18 Sep 2023 14:17:40 +1000 (AEST) Date: Mon, 18 Sep 2023 12:23:23 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] passt: introduce --fd-is-tap to allow passing TAP file descriptor Message-ID: References: <20230915142152.73499-1-edigaryev@gmail.com> <20230916143241.2a7b6c77@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OjXtzXB4hMgfVtSg" Content-Disposition: inline In-Reply-To: <20230916143241.2a7b6c77@elisabeth> Message-ID-Hash: USRWAJBFTKXIE7WEFUZQITC27TFZ6Q4O X-Message-ID-Hash: USRWAJBFTKXIE7WEFUZQITC27TFZ6Q4O X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Nikolay Edigaryev , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --OjXtzXB4hMgfVtSg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 16, 2023 at 02:34:06PM +0200, Stefano Brivio wrote: > Hi Nikolay, >=20 > On Fri, 15 Sep 2023 18:21:52 +0400 > Nikolay Edigaryev wrote: >=20 > > Problem: I have a Cloud Hypervisor virtual machine that needs both > > (1) an internet access without fiddling with iptables/Netfilter and > > (2) VM <-> host access (to be able to provision this VM over SSH) > > without dealing with passt port forwarding it doesn't seem to be > > possible to map the whole IP address, yet the users expect an IP > > instead of IP:port combination. > >=20 > > Requirement #1 is why I've choosen passt and it's pretty much > > satisfied (thank you for this great piece of software!). >=20 > And thanks for the patches! I'm glad to hear it's useful for you (and > with Cloud Hypervisor :)). >=20 > Two comments: >=20 > > Requirement #2 implies some kind of bridge interface on the host > > with one TAP interface for the VM and the other for the passt. > >=20 > > However, only pasta can accept TAP interface FD's in it's -F/--fd, > > which is OK, but it also configures unneeded namespacing, which in > > turn results in unneeded complexity and performance overhead due > > to the need of involving veth pairs to break away from the pasta > > namespace to the host for the requirement #2 to be satisfied. > >=20 > > I've also considered proxying the UNIX domain socket communication > > to/from a TAP interface in my own Golang code, but it incurs > > significant performance overhead. > >=20 > > On the other hand passt seems to already can do everything I need, > > it just needs some guidance on which type of FD it's dealing with. > >=20 > > Solution: introduce --fd-is-tap command-line flag to tell passt > > which type of FD it's being passed to and force it to use appropriate > > system calls and offset calculation. >=20 > Did you consider adding another parameter altogether, such as --tap-fd? >=20 > I'm asking because we recently got a request to add another (similar) > interface on that "side", that is, a VSOCK file descriptor, for usage > with podman-machine. At that point, a further --fd-is-vsock would look > a bit awkward. >=20 > Further, David Gibson is working on a generalised flow table approach > which *should* also allow us to have multiple "taps"... and at that > point, somebody might want to pass multiple "--tap-fd" or -F options. >=20 > I didn't really evaluate if there are drawbacks to that, though -- > maybe it's a lot more code. I second that point. I think having a different option for passing an fd is a much better interface design than having a secondary option which affects the interpretation of another one. > > This patch also clarifies the -F/--fd description for pasta to note > > that we're expecting a TAP device and not a UNIX domain socket. >=20 > You should add a Signed-off-by tag here (but in general I can fix up > tags myself on merge). Other than that, the patch looks good to me in a > general sense. >=20 --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --OjXtzXB4hMgfVtSg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmUHtJQACgkQzQJF27ox 2Gd8eg/8DGMdirlLY4xU4RyJHRfpeAsXOb1F+7bUr9lU72CBDliqey4MIqBRVOVG VX2iE/JZslF3SMW+fHv+SSaIXIrrt4gy2HNLsqk0PCJPYBqltLaX1acrVqELQrjN 9L7Xt/bZ5Rcj+5l16W7GFLBzDC2io6MJMOLLXwu6sCA0OAZ9hU8gIVGhQ76ffItD bdJYCYizSS1DL9MRjxVkWaBkGzlnRDSg5bHGeT/T/h43R5bTEcZG3HOn8hFc09KZ RxxSZXoRrgnpiTzWQze5w1R36gGfisWg2eGCwucsJ1Tjd7Wx1JTarGH41nT4p4k0 +33ydrWVFyQojXLTRXcsVDWn86Frol/mAuWAJn4ZvnOpwv+RB485QUAGACrRdnab HQHojMtnNKeq/FYwe8s3tqKDQ/gMW9y5C5Tf5ERJsnVoDjXUy9pxjfOVPQ9whhX1 i217OcMPlDQ26hmkcOY/0olES+dGVUGvzIXULwZBoHdQ4peb+PW8c7gPz6nSjbh/ ahIImlmht1Kd7m31kJZithDU/8CHKA88Y9+uGcneFiXNF3Y0ZlHTlVswfO2w+S7h P5sjSdJzTz+Dsz1FEBgK+UNtxF/kIzalC7OS/70RWVV/E+WyuKb4IsQXK2xhCGtc /W5R+t3fCFZwmnXlU/e4xZ67Lze6lRvTrBeoPpX5fssNiKrnMis= =2i+n -----END PGP SIGNATURE----- --OjXtzXB4hMgfVtSg--