Why does NetworkManager explicitly support tun/tap devices?
Clash Royale CLAN TAG#URR8PPP
Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.
I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!
Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.
I just can't make sense of it.
Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?
Glossary
macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.
tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).
macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.
It is sometimes useful to create a macvlan interface for the host as well.
linux virtual-machine networkmanager
add a comment |
Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.
I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!
Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.
I just can't make sense of it.
Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?
Glossary
macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.
tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).
macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.
It is sometimes useful to create a macvlan interface for the host as well.
linux virtual-machine networkmanager
I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.
– mosvy
Jan 27 at 19:56
@mosvy I've added OpenVPN as a second example, hope you find this more likable.
– sourcejedi
Jan 27 at 20:23
add a comment |
Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.
I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!
Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.
I just can't make sense of it.
Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?
Glossary
macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.
tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).
macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.
It is sometimes useful to create a macvlan interface for the host as well.
linux virtual-machine networkmanager
Apparently NetworkManager recently gained support for macvlan interfaces. I notice it also supports macvtap, and the patch shows it already had some support for tun/tap devices.
I thought tap interfaces are normally created by VM software. Then the interface can be joined to a bridge. Or either of tun/tap can have an IP address assigned, again often done by VM software like virt-manager/libvirt. For macvtap, there isn't even anything that NetworkManager could configure!
Alternatively, tun/tap devices are used for userspace network tunnels such as OpenVPN. But I don't understand why you would configure a raw tun/tap device using NetworkManager. You still need to run something like OpenVPN to drive data through the tun/tap device.
I just can't make sense of it.
Question: Can anyone think of a reason to create tun/tap/macvtap devices using NetworkManager?
Glossary
macvlan is an alternative to bridging for networking Virtual Machines. Apparently it avoids some overhead. I haven't worked out the corresponding limitations.
tun/tap network interfaces provide a corresponding character device, which allows virtual machine implementations to read/write network packets from the interface. tap works at layer 2 (ethernet); tun only works at layer 3 (IP).
macvtap provides the same character device, but packets either come out a physical device the macvtap was bound to, or are bridged to a different macvtap/macvlan device on the same physical interface.
It is sometimes useful to create a macvlan interface for the host as well.
linux virtual-machine networkmanager
linux virtual-machine networkmanager
edited Jan 27 at 20:17
sourcejedi
asked Jan 17 '16 at 12:11
sourcejedisourcejedi
24.3k440107
24.3k440107
I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.
– mosvy
Jan 27 at 19:56
@mosvy I've added OpenVPN as a second example, hope you find this more likable.
– sourcejedi
Jan 27 at 20:23
add a comment |
I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.
– mosvy
Jan 27 at 19:56
@mosvy I've added OpenVPN as a second example, hope you find this more likable.
– sourcejedi
Jan 27 at 20:23
I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.
– mosvy
Jan 27 at 19:56
I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.
– mosvy
Jan 27 at 19:56
@mosvy I've added OpenVPN as a second example, hope you find this more likable.
– sourcejedi
Jan 27 at 20:23
@mosvy I've added OpenVPN as a second example, hope you find this more likable.
– sourcejedi
Jan 27 at 20:23
add a comment |
1 Answer
1
active
oldest
votes
The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255867%2fwhy-does-networkmanager-explicitly-support-tun-tap-devices%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
add a comment |
The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
add a comment |
The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.
The idea is to allow otherwise unprivileged software such as a VM or tunnel manager to use a preconfigured tun/tap device so as to avoid the need of a setuid security hole or a special binary with specific capabilities which can be (mis-)used to raise privileges.
answered Nov 5 '17 at 16:09
Steven NewburySteven Newbury
111
111
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
add a comment |
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
So this included a configuration for NM to enable IP forwarding? Otherwise the VM would only get to talk to the host. Tunnelling sounds plausible though.
– sourcejedi
Nov 5 '17 at 16:56
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255867%2fwhy-does-networkmanager-explicitly-support-tun-tap-devices%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I don't care about NetworkManager, but I don't like your contention that tun/tap is "normally" only used for vm networking or, worse for the straight-jacketing libvirt kind of it. You can do anything you want with a tun/tap device, including implementing any tunneling protocol you want. But even then, using a vm as a virtual router has uses -- I've used such a setup in the past out of expediency, because configuring non-trivial ipv6 networking is such a PITA on a standard linux distro, and easy on OpenWRT.
– mosvy
Jan 27 at 19:56
@mosvy I've added OpenVPN as a second example, hope you find this more likable.
– sourcejedi
Jan 27 at 20:23