tunnel interface names

dev at cyphermonks.org dev at cyphermonks.org
Fri Jun 1 04:55:26 AEST 2018

On 31.05.2018 03:03, Damien Miller wrote:
> On Wed, 30 May 2018, dev at cyphermonks.org wrote:
>> allow-hotplug /tap*=tap
>> iface tap inet manual
>> 	bridge hub
>> now some other client needs a specific config on the server or there
>> happens to be something else wanting to use a tap-interface for
>> something else => every single client's interface has to be configured
>> specifically, all interfaces have to be statically assigned to
>> clients, clients have to reserve every single interface they might
>> want to use in advance.
> Couldn't you avoid this by picking high numbers for the ones that you need
> specific configuration for? This would leave the rest free to choose "any"
> since they allocate lowest numbered tun/tap devices first.

i cannot match e.g. regexps, like tun(13|14|15|16|17), just wildcards, like tun*.
so as soon as there is more than one config for all (tun or tap), every interface has to be entered individually.

> E.g. by extending the existing PermitTunnel; something like:
> PermitTunnel 0:office1
> to indicate a client requesting device '0' gets interface "office1"
> (we'd probably need to flesh this out a little more...)

this sounds like all clients requesting 0 get office1 - i guess to be helpful this would have to be defined per client.
from my perspective and usecases this (per client mapping) would enable me to use the interface config as intended on the server side (client side the problem would not change), the extra indirection being just a complication (compared to just using full device names for devices), a configuration step to stumble over.

a bit out of the line, but i just realized that an option for the server to en-/disable each tunnel channel type would probably be generally desirable. i added a PermitTunTap simply working like PermitTunnel for the new channel type (and PermitTunnel is not regarded for the new channel type). so now the new channel type will not be accidentally enabled on PermitTunnel != no setups on upgrade.
(also, some leaks were fixed, btw - i think/hope there should be none left)

> Now, we're not totally stuck with the existing message format (it is

i guess for compatibility tun at openssh.com can't really be changed or replaced, and the message format is static per type if i got that right...
using a new channel type just seems like the canonical approach for this case.

> an extension after all), but adding a new message that includes names
> does impose a number of costs that I'd like to avoid if possible.

what costs do you mean?
(actually i was quite surprised that the feasibility check quickly turned into a working patch, and i was kind of delighted with what i found to be a very straightforward and relatively small-footprint solution just following the overall design)

> Would either of the above alternatives solve your use-cases?

mapping both client- and serverside (and per client) would make the intended interface config (boils down to "matching some different namespaces with wildcards") possible.
in my view the mapping would be a rather ugly part (mostly a config-obstacle).

at least in case of pubkeyauth, per-client tunnel mapping looks similar to me to an authorized_keys config with tunnel=office1 (i.e. changing (just) this option to full device name).
so as an example, this option uses the forced_tun_device variable, this would have to become a string then. forced_tun_device would then have to be handled differently and conversion to/from other device ids would be necessary - or alternatively all devices would internally have to be handled as strings. the new-channel-type patch changes forced_tun_device as well as the other device identifiers to string, and just maps between id-only syntax and full-name on in- or output.
and apart from that, the patch just adds the new channel type and the config option and that's it.

for mapping, a good place for per-client mapping definitions has to be found or added, device-handling will have to be dealt with in any way, and not simply using full device names internally seems to add more code and complexity, and mapping itself will probably also add more code and complexity than a new channel type.

so after all i'd currently say the transparent full interface name solution, and also the new channel type, seems to be preferable.

More information about the openssh-unix-dev mailing list