CodyMouse's questions

Currently I am working on designing a network. The problem is that at a certain point I got confronted with a weird request. The client has made some thoughts of her/his own. Now I am troubled because my knowledge in this matter is not deep enough. I cannot pin point whether there are inherent problems with the request on its own and if there are how to convey them to the client. The request applies to two servers in particular and is as follows:

Physical Network(simplified):

router.eth0 <--> switch.eth0 | switch.eth1 <--> server1.eth0 | server1.eth1 <--> server2.eth0

Logical Network:

+----------+      +----------+      +----------+      +----------+
| router   |      | switch   |      | server1  |      | server2  |
| untagged | <--> | untagged |      |          |      |          |
+----------+      | vlan 10  | <----+----------+----> | vlan 10  |
                  |          |      | untagged | <--> | untagged |
                  +----------+      +----------+      +----------+

So every request from the router is first tagged to vlan 10 and send to server1. server1 then forwards those packets onward to server2 while server1 is not reacting to vlan 10 packets. After that server2 untags the packets from vlan 10 and depending on the packet's content forwards some of them back to server1 or process them itself. Finaly server1 can respond to those packets as they are now untagged.

To preempt some suggestions: I know that it would be easier to just connect server2 directly to the router and server1 to server2 but the client insists on going that way if there are no security problems with this approach. The client also sets it as a requirement that all packets directed at server1 have to be processed by server2.

My problem now is whether an attacker could compromise this setup. So that if he gains control other the router. Can the attacker use the flow of packets through server1 to his advantage (exluding denial of service)? Could the attacker for example forge packets which could be directly addressed to server1 and to not flow through server2?

I am currently setting up a SAN for diskless boot. My backend consists of ZFS-Vol shared via iSCSI. So far everything is working just fine except for TRIM/UNMAP. For test puposes I setup two VMs running Ubuntu20.04 in VirtualBox networked together via an internal network with static IPv4 addresses. On the target (tgt) got a second virtual drive formatted with ZFS. On this zpool I created a zVol and formatted it with GPT and ext4.

/etc/tgt/conf.d/iscsi.conf
<target example.com:lun1>
    <backing-store /dev/zvol/tank/iscsi_share>
        params thin_provisioning=1
    </backing-store>
    initiator-address 192.168.0.2
</target>

On the initiator (open-iscsi) I use this command to provoke a TRIM operation:

sudo mount /dev/sdb1 /iscsi-share
sudo dd if=/dev/zero of=/iscsi-share/zero bs=1M count=512
sudo rm /iscsi-share/zero
sudo fstrim /iscsi-share

but the shell responds with "fstrim: /iscsi-share: the discard option is not supported". If I issue those commands on the target machine the "REFER" property of the zVol decreases as expected.

As I found nothing while searching the web I found no hint as to why this is not working or if this is even possible at all.

Edit: As I got the advice to use the option thin_provisioning.

After I repartitioned the drive and mounted it on the initiator I got error message blk_update_request: critical target error, dev sdb, sector 23784 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 0 for several sectors and after creating and deleting my testfile, fstrim send the message

blk_update_request: I/O error, dev sdb, sector 68968 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 0
fstrim: iscsi-share: FITRIM ioctl failed: Input/output error

Edit: As there were Answers refering to LIO I now also tried targetcli. There I setup a target with my zVol under /backstores/block/iscsi and set attribute emultate_tpu=1. After importing this into my initiator I repartitioned, formatted and mounted it on the initiator. Then I created my test file, deletetd it and issued the fstrim command and it worked. Thanks for the help.