Why does NetworkManager explicitly support tun/tap devices?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.



I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!



Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.



I just can't make sense of it.



Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?




Glossary



macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.



tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).



macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.



It is sometimes useful to create a macvlan interface for the host as well.










share|improve this question
























  • I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.

    – mosvy
    Jan 27 at 19:56












  • @mosvy I've added OpenVPN as a second example, hope you find this more likable.

    – sourcejedi
    Jan 27 at 20:23
















2















Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.



I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!



Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.



I just can't make sense of it.



Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?




Glossary



macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.



tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).



macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.



It is sometimes useful to create a macvlan interface for the host as well.










share|improve this question
























  • I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.

    – mosvy
    Jan 27 at 19:56












  • @mosvy I've added OpenVPN as a second example, hope you find this more likable.

    – sourcejedi
    Jan 27 at 20:23














2












2








2


1






Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.



I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!



Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.



I just can't make sense of it.



Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?




Glossary



macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.



tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).



macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.



It is sometimes useful to create a macvlan interface for the host as well.










share|improve this question
















Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.



I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!



Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.



I just can't make sense of it.



Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?




Glossary



macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.



tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).



macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.



It is sometimes useful to create a macvlan interface for the host as well.







linux virtual-machine networkmanager






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 27 at 20:17







sourcejedi

















asked Jan 17 '16 at 12:11









sourcejedisourcejedi

24.3k440107




24.3k440107












  • I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.

    – mosvy
    Jan 27 at 19:56












  • @mosvy I've added OpenVPN as a second example, hope you find this more likable.

    – sourcejedi
    Jan 27 at 20:23


















  • I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.

    – mosvy
    Jan 27 at 19:56












  • @mosvy I've added OpenVPN as a second example, hope you find this more likable.

    – sourcejedi
    Jan 27 at 20:23

















I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.

– mosvy
Jan 27 at 19:56






I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.

– mosvy
Jan 27 at 19:56














@mosvy I've added OpenVPN as a second example, hope you find this more likable.

– sourcejedi
Jan 27 at 20:23






@mosvy I've added OpenVPN as a second example, hope you find this more likable.

– sourcejedi
Jan 27 at 20:23











1 Answer
1






active

oldest

votes


















1














The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.






share|improve this answer























  • So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

    – sourcejedi
    Nov 5 '17 at 16:56










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255867%2fwhy-does-networkmanager-explicitly-support-tun-tap-devices%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.






share|improve this answer























  • So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

    – sourcejedi
    Nov 5 '17 at 16:56















1














The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.






share|improve this answer























  • So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

    – sourcejedi
    Nov 5 '17 at 16:56













1












1








1







The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.






share|improve this answer













The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 5 '17 at 16:09









Steven NewburySteven Newbury

111




111












  • So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

    – sourcejedi
    Nov 5 '17 at 16:56

















  • So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

    – sourcejedi
    Nov 5 '17 at 16:56
















So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

– sourcejedi
Nov 5 '17 at 16:56





So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.

– sourcejedi
Nov 5 '17 at 16:56

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255867%2fwhy-does-networkmanager-explicitly-support-tun-tap-devices%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?