On 3/3/21 5:28 PM, NeilBrown wrote: > On Tue, Mar 02 2021, Steve Dickson wrote: > >> Hey! >> >> A couple comments... >> >> On 2/24/21 9:42 PM, NeilBrown wrote: >>> When NFSv3 is used mountd provides logs of successful and failed mount >>> attempts which can be used for auditing. >>> When NFSv4 is used there are no such logs as NFSv4 does not have a >>> distinct "mount" request. >>> >>> However mountd still knows about which filesysytems are being accessed >>> from which clients, and can actually provide more reliable logs than it >>> currently does, though they must be more verbose - with periodic "is >>> being accessed" message replacing a single "was mounted" message. >>> >>> This series adds support for that logging, and adds some related >>> improvements to make the logs as useful as possible. >>> >>> NeilBrown >>> >>> --- >>> >>> NeilBrown (5): >>> mountd: reject unknown client IP when !use_ipaddr. >>> mountd: Don't proactively add export info when fh info is requested. >>> mountd: add logging for authentication results for accesses. >> I wonder if we should mention setting "debug=auth" enables >> this logging in the mountd manpage > > That is already in the mountd man page :-) Sorry I must have missed it... > >> >>> mountd: add --cache-use-ipaddr option to force use_ipaddr >>> mountd: make default ttl settable by option >> These two probably need to be put into the nfs.conf file >> and the nfs.conf man page since the conf_get_num() >> and conf_get_bool() calls were added. > > That's done now too. Thank you! > >> >> Finally, I'll add this to my plate, but I'm thinking >> the new log-auth and ttl flags probably should be >> introduce into nfsv4.exported. >> > > I'll add that to my patches before resubmitting. Thank you again! > >> I didn't port over the use-ipaddr flag to exportd, >> since I though it was only used in the v3 mount path >> but may that was an oversight on my part. > > use-ipaddr it not at all v3 specific. > It was originally introduced to handle the fact that a single host could > be in a large number of netgroups, and concatenating the names of all > those netgroups could produce a "domain" name that is too long. > The new option to force it on is useful for access logging, particularly > with NFSv4. > > I'll add that to my patches too. Perfect! steved. > > Thanks, > NeilBrown > > >> >> Thoughts? >> >> steved. >>> >>> >>> support/export/auth.c | 4 +++ >>> support/export/cache.c | 32 +++++++++++------ >>> support/export/v4root.c | 3 +- >>> support/include/exportfs.h | 3 +- >>> support/nfs/exports.c | 4 ++- >>> utils/mountd/mountd.c | 29 +++++++++++++++- >>> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++ >>> 7 files changed, 130 insertions(+), 15 deletions(-) >>> >>> -- >>> Signature >>>
