Patch to override/manage the order of client specification exports
matches via the use of a priority option
The current client precedence match order is fixed, e.g. an IP subnet
match will be used before a wildcard match, but with this patch the
wildcard match can be given a higher priority (positive integer) value
and will be matched before the subnet match
Signed-off-by: James Pearson <jcpearson@xxxxxxxxx>
---
support/export/auth.c | 8 ++++++--
support/export/cache.c | 14 ++++++++++++++
support/include/nfslib.h | 1 +
support/nfs/exports.c | 12 ++++++++++++
utils/exportfs/exportfs.c | 2 ++
utils/exportfs/exports.man | 19 ++++++++++++++++++-
6 files changed, 53 insertions(+), 3 deletions(-)
diff --git a/support/export/auth.c b/support/export/auth.c
index 2d7960f1..3d9e07b5 100644
--- a/support/export/auth.c
+++ b/support/export/auth.c
@@ -175,7 +175,7 @@ auth_authenticate_newcache(const struct sockaddr *caller,
const char *path, struct addrinfo *ai,
enum auth_error *error)
{
- nfs_export *exp;
+ nfs_export *exp, *found;
int i;
free(my_client.m_hostname);
@@ -189,6 +189,7 @@ auth_authenticate_newcache(const struct sockaddr *caller,
my_exp.m_client = &my_client;
exp = NULL;
+ found = NULL;
for (i = 0; !exp && i < MCL_MAXTYPES; i++)
for (exp = exportlist[i].p_head; exp; exp = exp->m_next) {
if (strcmp(path, exp->m_export.e_path))
@@ -198,8 +199,11 @@ auth_authenticate_newcache(const struct sockaddr *caller,
if (exp->m_export.e_flags & NFSEXP_V4ROOT)
/* not acceptable for v[23] export */
continue;
- break;
+ /* we have a match - see if it is a higher priority */
+ if (!found || exp->m_export.e_priority >
found->m_export.e_priority)
+ found = exp;
}
+ exp = found;
*error = not_exported;
if (!exp)
return NULL;
diff --git a/support/export/cache.c b/support/export/cache.c
index 6c0a44a3..dfb0051b 100644
--- a/support/export/cache.c
+++ b/support/export/cache.c
@@ -877,6 +877,14 @@ static int nfsd_handle_fh(int f, char *bp, int blen)
xlog(L_WARNING, "%s and %s have same
filehandle for %s, using first",
found_path, path, dom);
} else {
+ /* same path, see if this one has a
higher export priority */
+ if (exp->m_export.e_priority >
found->e_priority) {
+ found = &exp->m_export;
+ free(found_path);
+ found_path = strdup(path);
+ if (found_path == NULL)
+ goto out;
+ }
/* same path, if one is V4ROOT, choose
the other */
if (found->e_flags & NFSEXP_V4ROOT) {
found = &exp->m_export;
@@ -1178,6 +1186,12 @@ lookup_export(char *dom, char *path, struct addrinfo *ai)
found_type = i;
continue;
}
+ /* see if this one has a higher export priority */
+ if (exp->m_export.e_priority >
found->m_export.e_priority) {
+ found = exp;
+ found_type = i;
+ continue;
+ }
/* Always prefer non-V4ROOT exports */
if (exp->m_export.e_flags & NFSEXP_V4ROOT)
continue;
diff --git a/support/include/nfslib.h b/support/include/nfslib.h
index eff2a486..ab22ecaf 100644
--- a/support/include/nfslib.h
+++ b/support/include/nfslib.h
@@ -99,6 +99,7 @@ struct exportent {
unsigned int e_ttl;
char * e_realpath;
int e_reexport;
+ int e_priority;
};
struct rmtabent {
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index a6816e60..afc139db 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -106,6 +106,7 @@ static void init_exportent (struct exportent *ee,
int fromkernel)
ee->e_uuid = NULL;
ee->e_ttl = default_ttl;
ee->e_reexport = REEXP_NONE;
+ ee->e_priority = 0;
}
struct exportent *
@@ -374,6 +375,9 @@ putexportent(struct exportent *ep)
fprintf(fp, "%d,", id[i]);
}
fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid);
+ if (ep->e_priority) {
+ fprintf(fp, ",priority=%d", ep->e_priority);
+ }
secinfo_show(fp, ep);
xprtsecinfo_show(fp, ep);
fprintf(fp, ")\n");
@@ -834,6 +838,14 @@ bad_option:
setflags(NFSEXP_FSID, active, ep);
saw_reexport = 1;
+ } else if (strncmp(opt, "priority=", 9) == 0) {
+ char *oe;
+ ep->e_priority = strtol(opt+9, &oe, 10);
+ if (opt[9]=='\0' || *oe != '\0') {
+ xlog(L_ERROR, "%s: %d: bad priority \"%s\"\n",
+ flname, flline, opt);
+ goto bad_option;
+ }
} else {
xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n",
flname, flline, opt);
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index b03a047b..5e6a64b6 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -753,6 +753,8 @@ dump(int verbose, int export_format)
break;
#endif
}
+ if (ep->e_priority)
+ c = dumpopt(c, "priority=%d", ep->e_priority);
secinfo_show(stdout, ep);
xprtsecinfo_show(stdout, ep);
printf("%c\n", (c != '(')? ')' : ' ');
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index c14769e5..8b436ad5 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -100,12 +100,16 @@ entry above) and will match all clients.
.\".B \-\-public\-root
.\"option. Multiple specifications of a public root will be ignored.
.PP
-If a client matches more than one of the specifications above, then
+By default, if a client matches more than one of the specifications above, then
the first match from the above list order takes precedence - regardless of
the order they appear on the export line. However, if a client matches
more than one of the same type of specification (e.g. two netgroups),
then the first match from the order they appear on the export line takes
precedence.
+.PP
+The above list order can be overridden/managed via the use of the
+.IR priority=
+export option (see below)
.SS RPCSEC_GSS security
You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
to restrict access to clients using rpcsec_gss security. However, this
@@ -500,6 +504,19 @@ Don't edit or remove the database unless you know
exactly what you're doing.
is useful when you have used
.IR auto-fsidnum
before and don't want further entries stored.
+.TP
+.IR priority= num
+This option allows an export to a client specification to override its default
+mapping order. By default, the precedence order of a match is given in the
+.BR "Machine Name Formats"
+section above. For example, an IP network match will take precedence over
+a wildcard match. To allow the wildcard match to be used instead of the IP
+network match, a
+.IR priority
+of greater than zero is given to the wildcard specification
+
+By default, all exports have a priority of zero. Negative priority settings
+can also be given, which will push the match lower down the precedence order
.SS User ID Mapping
--
2.40.0
