2009-05-15 13:56:12

by Tom Talpey

[permalink] [raw]
Subject: Re: [NFS] nfs-over-tcp still needs udp ports? (SLES 11)

At 02:38 AM 5/15/2009, Frank Steiner wrote:
>Tom Talpey wrote
>
>> The very best solution, by the way, would be to use NFSv4. It has no
>> side protocols, and therefore no UDP issue. It does have a callback
>> connection from the server to the client, but is done with TCP and is
>> configurable.
>
>I've indeed switched our through-firewall-nfsservers to NFSv4 and
>the problems are gone. Thanks a lot for pointing me there!
>I only open port 2049/tcp and everything works.

Great! If you want the full NFSv4 benefit, you'll also need to enable
delegation callbacks, which requires a TCP port in the other direction.
This port is chosen by the client, but the server makes the connection,
so you'll need to configure it in both the client and the firewall.

The port is set by an NFS sysctl parameter named "nfs_callback_tcpport",
which by default is 0 (any). You'll need to set it to some value with

sysctl -w fs.nfs.nfs_callback_tcpport = <value>

and also in your firewall from the server->client. The range is 0 to 65535,
you can choose any convenient unused value (e.g. 2050).

BTW when NFSv4.1 is in use, this reverse connection will no longer occur.
But that's a ways off in the distribution kernels.

>However, I still see blocked connections on the firewall, coming from
>the NFS client to the NFS server:
>...PROTO=TCP SPT=55598 DPT=111...
>rpcinfo tells me the portmapper is running at port 111 (udp and tcp).
>
>I didn't find a clear statement when googling if that should happen
>with NFSv4 or not. It doesn't seem to block the NFS share in any way,
>at least as far as I can see.

It could be any number of things, but probably harmless and properly
ignored for NFSv4. I will guess it's something to do with the SLES11
client and other daemons.

Can you capture a trace of these messages with wireshark? The
contents of the portmapper request the client is sending will tell us
exactly what services it's trying to resolve.

Alternatively you could turn on kernel portmap debug and watch the
log. I'm not sure if SLES11 has the "rpcdebug" command installed, but
if so, on the client you could try

rpcdebug -m rpc -s bind

then watch the syslog.

>I wouldn't mind to open tcp port 111 to the NFS server. I'm just curios
>if that behaviour is correct or not with NFSv4.

It's not part of NFSv4. But it could be a side effect of the client NFS
implementation, which also supports v2 and v3 plus NSM, NLM, etc etc.

Tom.


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that [email protected] is being discontinued.
Please subscribe to [email protected] instead.
http://vger.kernel.org/vger-lists.html#linux-nfs