On Fri, Apr 18, 2008 at 04:46:02PM -0400, Janne Karhunen wrote:
> On Fri, Apr 18, 2008 at 4:32 PM, J. Bruce Fields <[email protected]> wrote:
>
> > > Sorry, not very clear. Perhaps statd should bind to the loopback
> > > interface in addition to any other interfaces if it doesn't bind
> > > to INADDR_ANY.
> >
> > Right, that's what would make the most sense to me. Janne, is there any
> > reason that wouldn't solve your problem?
>
> I didn't get the idea. So the idea is to use multiple sockets,
> one bound to LOOPBACK and one to external interface?
I suppose so. One socket would be for communication for the local
kernel nfsd, one for communication with statd peers.
> Complicated and unclean in my opinion: one address
> should suffice.
The advantage is that it would require no changes to the kernel or
kernel interfaces, and would also solve the problem for people that
don't want to upgrade their kernels.
The "rpc over lo" interface to the kernel's lockd is simple enough, and
I'd rather not replace it with "rpc over either lo or the interface
specified via sysctl" unless there's a really clear advantage.
(Also, would your patch mean lockd could accept requests that could have
spoofed source addresses?)
--b.
On Sun, Apr 20, 2008 at 8:02 PM, J. Bruce Fields <[email protected]> wrote:
> > > Right, that's what would make the most sense to me. Janne, is there any
> > > reason that wouldn't solve your problem?
> >
> > I didn't get the idea. So the idea is to use multiple sockets,
> > one bound to LOOPBACK and one to external interface?
>
> I suppose so. One socket would be for communication for the local
> kernel nfsd, one for communication with statd peers.
Finally got around to it again. Attached patch takes a
shot at the two socket approach. Patch is a draft to
see what you guys would really think about this
approach.
--
// Janne
On Sun, Apr 20, 2008 at 8:02 PM, J. Bruce Fields <[email protected]> wrote:
> > I didn't get the idea. So the idea is to use multiple sockets,
> > one bound to LOOPBACK and one to external interface?
>
> I suppose so. One socket would be for communication for the local
> kernel nfsd, one for communication with statd peers.
Ok, but that's really quite intrusive - my goal with that
patch was to minimize the amount of changes. Sure,
we can rework larger part of it if you think is better
that way.
> > Complicated and unclean in my opinion: one address
> > should suffice.
>
> The advantage is that it would require no changes to the kernel or
> kernel interfaces, and would also solve the problem for people that
> don't want to upgrade their kernels.
Right, but that's hardly an issue with Linux. You need
to do that twice per week anyway ;)
> The "rpc over lo" interface to the kernel's lockd is simple enough, and
> I'd rather not replace it with "rpc over either lo or the interface
> specified via sysctl" unless there's a really clear advantage.
>
> (Also, would your patch mean lockd could accept requests that could have
> spoofed source addresses?)
Yes, but loopback can also be spoofed. And it
does already improve things by making it bind
specific interface/address instead of ANY (ports
open all around).
--
// Janne
On Sun, Apr 20, 2008 at 8:02 PM, J. Bruce Fields <[email protected]> wrote:
> > > > Sorry, not very clear. Perhaps statd should bind to the loopback
> > > > interface in addition to any other interfaces if it doesn't bind
> > > > to INADDR_ANY.
> > >
> > > Right, that's what would make the most sense to me. Janne, is there any
> > > reason that wouldn't solve your problem?
> >
> > I didn't get the idea. So the idea is to use multiple sockets,
> > one bound to LOOPBACK and one to external interface?
>
> I suppose so. One socket would be for communication for the local
> kernel nfsd, one for communication with statd peers.
So shall we add yet another port option for statd or talk
to portmap about the port assignment? It's ugly any way
you put it.
--
// Janne