Discussion:
Heads up: Redhat/CentOS NFSv3 clients file locking failures
Schweiss, Chip
2014-01-22 20:47:38 UTC
Permalink
A recent change in the NLM for NFSv3 has exposed a problem with the
firewall on Redhat/CentOS.

Connections back to the client are blocked by the firewall because the
connection tracking module is not catching connections as part of the open
NFS connections to the server.

I have attempted to resolve this by opening NFS specific ports but the
server kept connecting to ports that I haven't seen referenced before
including privileged ports.

As a work around I have implemented accept rules for all TCP from the NFS
server.

This could be across all Linux distributions. My tests have only been on
CentOS.

The problem first appears when port 111 is blocked, opening 111 basically
opens a can worms to what seems randomly selected ports of any value. I
know on Linux NFS servers the connection ports can be limited. Is this
possible on Illumos?

-Chip



-------------------------------------------
illumos-zfs
Archives: https://www.listbox.com/member/archive/182191/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182191/23047029-187a0c8d
Modify Your Subscription: https://www.listbox.com/member/?member_id=23047029&id_secret=23047029-2e85923f
Powered by Listbox: http://www.listbox.com
Stefan Skoglund
2014-01-30 15:08:10 UTC
Permalink
Post by Schweiss, Chip
A recent change in the NLM for NFSv3 has exposed a problem with the
firewall on Redhat/CentOS.
Connections back to the client are blocked by the firewall because the
connection tracking module is not catching connections as part of the
open NFS connections to the server.
This is (i think) callback related.

The portmapper works such that its users (for example the client-side
nfs kernel modules) bind to a tcp port and then registers the port's
number with the portmapper.

Which means that the user's port number gets randomized, EXCEPT this:
---
[sudo ***@compaq: /home/stefan]# lsmod |grep nfs
nfsd 173890 2
nfs 265921 2
nfs_acl 12463 2 nfs,nfsd
auth_rpcgss 32143 5 nfs,nfsd,rpcsec_gss_krb5
fscache 31978 1 nfs
lockd 57277 2 nfs,nfsd
sunrpc 143904 16
lockd,auth_rpcgss,nfs_acl,nfs,nfsd,rpcsec_gss_krb5
[sudo ***@compaq: /home/stefan]# modinfo nfsd
filename: /lib/modules/3.2.0-4-686-pae/kernel/fs/nfsd/nfsd.ko
license: GPL
author: Olaf Kirch <***@monad.swb.de>
depends: auth_rpcgss,sunrpc,lockd,nfs_acl
intree: Y
vermagic: 3.2.0-4-686-pae SMP mod_unload modversions 686
[sudo ***@compaq: /home/stefan]# modinfo nfs
filename: /lib/modules/3.2.0-4-686-pae/kernel/fs/nfs/nfs.ko
license: GPL
author: Olaf Kirch <***@monad.swb.de>
alias: nfs4
depends: fscache,sunrpc,lockd,auth_rpcgss,nfs_acl
intree: Y
vermagic: 3.2.0-4-686-pae SMP mod_unload modversions 686
parm: callback_tcpport:portnr
parm: cache_getent:Path to the client cache upcall program
(string)
parm: cache_getent_timeout:Timeout (in seconds) after which
the cache upcall is assumed to have failed (ulong)
parm: enable_ino64:bool
parm: nfs4_disable_idmapping:Turn off NFSv4 idmapping when
using 'sec=sys' (bool)
[sudo ***@compaq: /home/stefan]# [sudo ***@compaq: /home/stefan]#
cat /etc/modprobe.d/local-conf-nfs-fixed-ports.conf
options nfs callback_tcpport=2050
options lockd nlm_tcpport=2051 nlm_udpport=2051
[sudo ***@compaq: /home/stefan]#
----

The nfs related modules has parameters for using locally defined
well-known port numbers and which the firewall can be configured to
recognize.

I do use NFS4.

Loading...