Re: [Libtirpc-devel] [PATCH] rpcb_clnt.c config to try protocolversion 2 first

Chuck Lever III <chuck.lever@xxxxxxxxxx> · Mon, 14 Feb 2022 15:26:23 +0000

Hi Thomas -

> On Feb 14, 2022, at 4:26 AM, Thomas Blume via Libtirpc-devel <libtirpc-devel@xxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> In some setups, it is necessary to try rpc protocol version 2 first.

Before applying this, I hope we can review previous discussions of
this issue. I've forgotten the reason some users prefer it, or
maybe I'm just imagining we've discussed it before :-)

The patch description, at the very least, has to have a lot more
detail about why this change is needed. Can it provide a URL to
threads in an email archive, for example?

> Creating the file  /etc/netconfig-try-2-first will enforce this.

A nicer administrative API would enable you to update the whole
rpcbind version order, but that might be more work than you want
to pursue.

It would be a nicer if, instead of a separate file, a line is
added to /etc/netconfig to toggle this behavior, or provide the
whole version order. E.g.

# rpcbind 4 3 2

# rpcbind 2 4

Really, though, this isn't related to the transport definitions
in /etc/netconfig, so a separate configuration file might be
more appropriate.

> Signed-off-by: Thomas Blume <Thomas.Blume@xxxxxxxx>
> ---
> man/Makefile.am             |  1 +
> man/netconfig-try-2-first.7 | 18 ++++++++++++++++++
> man/netconfig.5             |  1 +
> src/rpcb_clnt.c             | 29 ++++++++++++++++++++++++++---
> 4 files changed, 46 insertions(+), 3 deletions(-)
> create mode 100644 man/netconfig-try-2-first.7
> 
> diff --git a/man/Makefile.am b/man/Makefile.am
> index fa43bb4..38907d4 100644
> --- a/man/Makefile.am
> +++ b/man/Makefile.am
> @@ -16,6 +16,7 @@ RPCSEC_MANS		= rpcsec_gss.3t rpc_gss_get_error.3t \
> 			  rpc_gss_get_principal_name.3t rpc_gss_set_callback.3t \
> 			  rpc_gss_set_svc_name.3t rpc_gss_svc_max_data_length.3t
> 
> +dist_man7_MANS		= netconfig-try-2-first.7
> dist_man5_MANS		= netconfig.5
> dist_man3_MANS		= $(LOOKUP_MANS) $(NETCONFIG_MANS) \
> 			  $(BIND_MANS) $(GENERIC_MANS) $(COMPAT_MANS) \
> diff --git a/man/netconfig-try-2-first.7 b/man/netconfig-try-2-first.7
> new file mode 100644
> index 0000000..475c483
> --- /dev/null
> +++ b/man/netconfig-try-2-first.7
> @@ -0,0 +1,18 @@
> +.Dd January 16, 2019
> +.Dt NETCONFIG-TRY-2-FIRST 7
> +.Os
> +.Sh NAME
> +.Nm netconfig-try-2-first
> +.Nd indicator to enfore tcp protocol version 2
> +.Sh SYNOPSIS
> +.Pa /etc/netconfig-try-2-first
> +.Sh DESCRIPTION
> +libtirpc tries per default for transport UDP and TCP the rpc protocol versions
> +in the sequence 4, 3, 2.

There is good reason for this behavior. The man page needs to
explain the risks of changing it.

Does this break behavior on IPv6-only setups? Is there an added
security risk?

> +In some setups, it is necessary to try rpc protocol version 2 first.
> +Creating the file
> +.Nm
> +will enforce this.
> +.Ed
> +.Sh FILES
> +/etc/netconfig-try-2-first
> diff --git a/man/netconfig.5 b/man/netconfig.5
> index e8dcbb2..beaf27a 100644
> --- a/man/netconfig.5
> +++ b/man/netconfig.5
> @@ -119,5 +119,6 @@ struct netconfig {
> .It Pa /etc/netconfig
> .El
> .Sh SEE ALSO
> +.Xr netconfig-try-2-first 7 ,
> .Xr getnetconfig 3 ,
> .Xr getnetpath 3
> diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
> index 0c34cb7..d0336b9 100644
> --- a/src/rpcb_clnt.c
> +++ b/src/rpcb_clnt.c
> @@ -32,6 +32,7 @@
>  */
> #include <pthread.h>
> #include <reentrant.h>
> +#include <sys/stat.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/un.h>
> @@ -838,6 +839,9 @@ __rpcb_findaddr_timed(program, version, nconf, host, clpp, tp)
> {
> #ifdef NOTUSED
> 	static bool_t check_rpcbind = TRUE;
> +#endif
> +#ifdef PORTMAP
> +	bool_t portmap_first = FALSE;
> #endif
> 	CLIENT *client = NULL;
> 	RPCB parms;
> @@ -884,6 +888,17 @@ __rpcb_findaddr_timed(program, version, nconf, host, clpp, tp)
> 		parms.r_addr = NULL;
> 	}
> 
> +#ifdef PORTMAP
> +	 /*enforce protocol version 2 if file exists */
> +	 struct stat fileStat;
> +
> +	 if (stat("/etc/netconfig-try-2-first" ,&fileStat) == 0) {
> +		 portmap_first = TRUE;
> +		 goto portmap;
> +	 }
> +#endif
> +
> +rpcbind:
> 	if (client == NULL) {
> 		client = getclnthandle(host, nconf, &parms.r_addr);
> 		if (client == NULL) {
> @@ -943,17 +958,25 @@ __rpcb_findaddr_timed(program, version, nconf, host, clpp, tp)
> 		}
> 	}
> 
> +	if (portmap_first) {
> +		goto check_address;
> +	}
> +
> +portmap:
> #ifdef PORTMAP 	/* Try version 2 for TCP or UDP */
> 	if (strcmp(nconf->nc_protofmly, NC_INET) == 0) {
> 		address = __try_protocol_version_2(program, version, nconf, host, tp);
> -		if (address == NULL)
> +		if (address == NULL && portmap_first)
> +			goto rpcbind;
> +		else
> 			goto error;
> 	}
> #endif		/* PORTMAP */
> 
> +check_address:
> 	if ((address == NULL) || (address->len == 0)) {
> -	  rpc_createerr.cf_stat = RPC_PROGNOTREGISTERED;
> -	  clnt_geterr(client, &rpc_createerr.cf_error);
> +		rpc_createerr.cf_stat = RPC_PROGNOTREGISTERED;
> +		clnt_geterr(client, &rpc_createerr.cf_error);
> 	}
> 
> error:
> -- 
> 2.34.1
> 
> 
> 
> _______________________________________________
> Libtirpc-devel mailing list
> Libtirpc-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/libtirpc-devel

--
Chuck Lever