Abstract
Managing network file systems in large deployments is a critical challenge facing administrators today. Network file systems are widely used, are standardized, and provide acceptable performance. These systems are designed for the least common denominator of functionality, across all deployments to enable widespread use across diverse client systems. Unfortunately, specific deployment scenarios require different policies that govern file system access. The rigid structure of current network file systems makes modifying policies and mechanisms equally difficult. In this paper, we present a novel approach to implement network file system policies through message transformation, external to clients and servers. We present FileWall, a file system proxy, through which administrators can easily extend network file system policies for monitoring, access control, maintenance, and semantic extensions. We also present a policy specification language, FWL, which allows administrators to specify policies in a few lines, without being encumbered with implementation details. We have implemented FileWall using the Click modular router framework for the NFS protocol, and present solutions for four real-world administrative problems using our system — maintaining per-client file system statistics, implementing temporal access control, improving file handle security, and supporting client transparent failover. Through our evaluation, we show that FileWall imposes minimal delays, the interposition overheads are low, and the performance of FileWall is comparable to a simple network tunnel.