[OpenAFS] AFS over NAT

Ray Link rlink+@pitt.edu
Tue, 06 Aug 2002 21:32:50 -0400 (EDT) 

On Mon, 5 Aug 2002, Derek Atkins wrote:

> Having an AFS _server_ behind a NAT -- well, that can be problematic.

I'll chime in here with some info for Chris, because I've been looking
to do the same thing with the small AFS cell I run at home...

> First, you can only have one server.

Not really an issue for me, as it's only for a small cell that is not
mission-critical.  It essentially just serves out home directories and
user binaries to the webserver, shellbox, and various workstations
around the house.

If you're not doing anything that needs the redundancy of multiple
servers and volume replication, this limitation won't affect you much.

> Second, you still have the timeout issue.

Easy enough to fix with any sane NAT box.  My ipchains/ipmasq box does
this with a single command.  If your Linux NAT box is running ipchains,
the following will work for you:

/sbin/ipchains -M -S <TCP> <post-FIN TCP> <UDP>

Where the items between the < > are timeouts, in seconds, for TCP
sessions, TCP sessions after a "FIN" packet is received, and UDP
sessions.  I believe something around 10 minutes is recommended for
the UDP timeouts, so as to not break the AFS callbacks.  If you're not
using ipchains, I'm sure iptables has similar functionality.

> Third, you have to redirect all AFS UDP access from the NAT box to the server.

Easy enough.  People redirect inbound TCP/UDP to various machines all the
time to run various services from behind a NAT.

> Fourth, you need the server to
> advertise its 'NAT' address (i.e. the external address) so clients can
> contact the server.  This last part is probably the most difficult.

Absolutely.  This is the kicker.  This was actually implemented in
Transarc AFS 3.6 patch 1.  You could put a line in the NetInfo file
designated as a fake IP address, and the AFS server would hand that
external IP out to things like 'vos listaddrs' and external AFS
clients.

The problem with this is, though, that the code that builds the struct
of IP addresses in the OpenAFS sources doesn't check for those lines
designated as 'fake' IPs.  This would be easy enough to implement, but
there are other places in the code that expect that struct to contain
only valid IP addresses that are associated with interfaces on the
server.  They would likely barf upon seeing an IP that is not bound to
a local interface.  It would be neccessary to somehow populate a second
structure with only the valid IPs, to be used in those places of the
code.

I've exchanged some email privately with a few individuals about working
this functionality into OpenAFS, but we're all a little busy, so nothing
has come of it yet.

So anyways, the first three points Derek mentioned are fairly trivial to
accomodate, but the fourth is impossible without some changes to the
OpenAFS code.

==== Ray Link === University of Pittsburgh CSSD === rlink@pitt.edu ====

For some reason I was confusing "SubGenius" with "GNU" there.
        - The Cube, Forum 3000