Skip to content

gvproxy: Split --listen features in 2 separate args #425

Closed
#429
Closed
gvproxy: Split --listen features in 2 separate args#425
#429
Assignees
lstocchi
@cfergeau

Description

@cfergeau
cfergeau
opened on Nov 14, 2024

--listen defines the sockets that will be used for gvproxy REST API

gvisor-tap-vsock/pkg/virtualnetwork/mux.go

Lines 19 to 31 in 72b102d

mux := http.NewServeMux()
mux.Handle("/services/", http.StripPrefix("/services", n.servicesMux))
mux.HandleFunc("/stats", func(w http.ResponseWriter, _ *http.Request) {
_ = json.NewEncoder(w).Encode(statsAsJSON(n.networkSwitch.Sent, n.networkSwitch.Received, n.stack.Stats()))
})
mux.HandleFunc("/cam", func(w http.ResponseWriter, _ *http.Request) {
_ = json.NewEncoder(w).Encode(n.networkSwitch.CAM())
})
mux.HandleFunc("/leases", func(w http.ResponseWriter, _ *http.Request) {
_ = json.NewEncoder(w).Encode(n.ipPool.Leases())
})
mux.HandleFunc(types.ConnectPath, func(w http.ResponseWriter, _ *http.Request) {
hj, ok := w.(http.Hijacker)

This exposes the /connect API endpoint, which is used for network connectivity when gvforwarder/vm is running in the guest, a /services endpoint providing port forwarding, DNS, DHCP, a /stat endpoint, ...

Since there are other ways to get network connectivity without using /connect (--listen-vfkit, --listen-bess, ...), it's desirable to be able to enable the service/stats/... endpoints without enabling /connect.

It's better to add a separate option(s) for this, as at this point, there could be users relying on gvproxy --listen current behaviour.

#78 is a distinct issue, the /services/forwarder API endpoint is unconditionally enabled in the guest, which might have security implications. Being able to disable it would be useful.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions