Netstack: General questions regarding my netstack-based project

[Clark McCauley]

These questions are probably more general-networking related rather than netstack-specific, but I'll post them here anyways. I'm working on a project that uses gvisor's netstack to basically create a virtual/remote network interface card. The idea is that as long as you have a secure net.Conn between two machines in place already, you can create a network interface from one machine to another machine, or in other words, machine 1 can dial IP addresses that are accessible locally to machine 2. That's the idea at least.

I've got a working proof-of-concept, but I'm struggling to understand why I had to jump through these three hurtles:

• On my exit netstack, I had to add a route for the IP addresses that I wanted to make accessible to the entrance netstack, as well as a route for the IP address of the entrance netstack. If there wasn't a route back to the entrance netstack, then I could TCP dial-out, but I would get nothing back. Why is this necessary?
• How does the concept of a gateway come into play here? I know I have to specify a gateway address on both the entrance and exit netstacks, but I'm wondering why everything works even if the gateway is arbitrary, and what the gateway is used for under-the-hood. My understanding was that the gateway was usually referring to the router between network interface cards on machines and the internet itself, but since there is no internet, just a connection between two netstacks, what does the gateway do?
• I've assigned the same IP address arbitrarily to both the netstack's nic and the gateway address and everything seems to work properly. Is this okay? And why does this work?

Thanks ahead of time. I'm still very much on the learning side of these networking concepts, so any help would be much appreciated.

Thanks,

Clark

[Etienne Perot]

Adding folks who can probably help here.

--
You received this message because you are subscribed to the Google Groups "gVisor Users [Public]" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gvisor-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gvisor-users/b2271be2-2d2f-4eb9-8d38-03cdf1bbe06en%40googlegroups.com.

[Kevin Krakauer]

Cool project, and glad to see netstack used in new places.

> On my exit netstack, I had to add a route for the IP addresses that I wanted to make accessible to the entrance netstack, as well as a route for the IP address of the entrance netstack. If there wasn't a route back to the entrance netstack, then I could TCP dial-out, but I would get nothing back. Why is this necessary?

I'm not sure, although maybe I don't understand the implementation specifics here. If the entrance NS is establishing a TCP connection to a listening exit NS, I don't think the exit NS needs to be told the route to the entrance: it will use the incoming NIC and source address for routing. But if you're connecting the other way (exit->entrance), the lack of a route should prevent even establishing a connection.

> How does the concept of a gateway come into play here? I know I have to specify a gateway address on both the entrance and exit netstacks, but I'm wondering why everything works even if the gateway is arbitrary, and what the gateway is used for under-the-hood. My understanding was that the gateway was usually referring to the router between network interface cards on machines and the internet itself, but since there is no internet, just a connection between two netstacks, what does the gateway do?

You're specifying the gateway for the route, not the entire netstack. When a packet is sent via a route, the gateway is the "next hop" node. The gateway's link layer (ethernet usually) addresses are used to send the packet to that next hop.

On a home network each machine usually has a catch-all route that sends all non-local traffic to the router, which is the definition of gateway you're thinking of. In that context the router is the "gateway", and this is represented by the catch-all rule that sends traffic to the router.

It looks like (correct me if I'm wrong) you're sending packets via a channel.Endpoint, which is a wrapper around a Go channel. Since there're only two ends to the channel, the actual gateway address is moot -- everything sent in one end of the interface comes out the other end.

> I've assigned the same IP address arbitrarily to both the netstack's nic and the gateway address and everything seems to work properly. Is this okay? And why does this work?

Same answer as above: the gateway address is irrelevant here.

To view this discussion on the web visit https://groups.google.com/d/msgid/gvisor-users/CAFKBtDJ7oK1VrDRgAhakYiHKsG7r7tz%2Biv1ye9vximvMM7eDsQ%40mail.gmail.com.