Re: [PATCH] rpcbind: Only listen on requested hostnames for NC_TPI_COTS connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Apr 24, 2012, at 11:29 AM, Jim Rees wrote:

> Niels de Vos wrote:
> 
>  On 04/23/2012 06:22 PM, Chuck Lever wrote:
>> 
>> So you did check the mail archive?  I seem to recall other patches like
>> this in the past, and that there is a reason why rpcbind works this way.
>> I simply don't remember the specifics right at the moment.
> 
>  I did, but no messages about this subject come up for me... Maybe I'm looking
>  in the wrong places :-/
> 
> I asked about this last November, and at that time Chuck referred me to the
> mail archive too.  I couldn't find any discussion either.  But the behavior
> is intentional, so I don't think you'll get a patch accepted.

Going back to the rpcbind(8) man page, the "-h" is meant to work around a brokenness of RPC over UDP.  UDP replies can come from any server address, as I mentioned before, and most Linux clients, at least, don't like an RPC reply to come from a different address than the request was sent to.

We don't need or want this option for connection-oriented transports.  The reply will always be returned on the same connection that request was made on.

Restricting the bind address for rpcbind's listener is a different, and perhaps orthogonal, issue.  In addition to trimming rpcbind's listener address space via IP tables, you can also run the rpcbind server, and the RPC services it shepherds, in a separate network namespace.

> I never did
> discover the reason but I do have a workaround.  I just don't run rpcbind.
> 
> This was the most informative response I got:
> 
> Date: Tue, 8 Nov 2011 19:01:51 +1100
> From: Max Matveev <makc@xxxxxxxxxx>
> Subject: Re: rpcbind -h
> To: Jim Rees <rees@xxxxxxxxx>
> Cc: Chuck Lever <chuck.lever@xxxxxxxxxx>, linux-nfs@xxxxxxxxxxxxxxx
> 
> Chuck's quote from the manpage reminded me - -h was used to work            
> around the address selection: if server has more then one address the       
> reply may use any of them. Some clients don't like it.
> 
> This issue should go away after
> 
> commit 74ef3df0236c55185225c62fba34953f2582da72
> Author: Olaf Kirch <okir@xxxxxxx>      
> Date:   Wed Mar 2 10:09:24 2011 -0500
> 
> was added to libtirpc.
> 
> rees> As I said before, I was hoping for the equivalent of "portmap
> rees> -l".  I was ready to code up a patch of some kind but now have
> rees> a workaround (mount with nolock and don't run rpcbind at all).
> 
> iptables is another option.
> 
> max
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com




--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux