From: Trond Myklebust <trond.myklebust@fys.uio.no>
Subject: Re: [NFS] nfs-over-tcp still needs udp ports? (SLES 11)
Date: Fri, 08 May 2009 08:27:42 -0400
Message-ID: <1241785662.19651.32.camel@heimdal.trondhjem.org>
References: <4A02DAA8.6050005@bio.ifi.lmu.de>
	<c2d0b6ec0905070634p6888226cx5b2c8abae51cd1be@mail.gmail.com>
	<4A02FDC3.9090709@bio.ifi.lmu.de>
	<4a02ffdf.1ac1f10a.637d.ffffbc3a@mx.google.com>
	<4A03CB1C.7020703@bio.ifi.lmu.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Leonardo Chiquitto <leonardo.lists@gmail.com>,
	nfs@lists.sourceforge.net, Tom Talpey <tmtalpey@gmail.com>
To: Frank Steiner <fsteiner-mail1-G0GEQqhI7DhYiKXMg8wJIg@public.gmane.org>
Return-path: <linux-nfs-owner@vger.kernel.org>
Received: from neil.brown.name ([220.233.11.133]:42225 "EHLO neil.brown.name"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753578AbZEHM3r (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
	Fri, 8 May 2009 08:29:47 -0400
Received: from brown by neil.brown.name with local (Exim 4.69)
	(envelope-from <nfs-bounces@lists.sourceforge.net>)
	id 1M2PD0-0000NN-Nu
	for linux-nfs@vger.kernel.org; Fri, 08 May 2009 22:29:46 +1000
In-Reply-To: <4A03CB1C.7020703-G0GEQqhI7DhYiKXMg8wJIg@public.gmane.org>
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>

On Fri, 2009-05-08 at 08:03 +0200, Frank Steiner wrote:
> Tom Talpey wrote
> 
> 
> > In particular, if you do NLM file locking, there is a server callback (NLM
> > "granted") which the server may choose to issue via UDP. If this callback
> > is not seen by the client due to firewall blocking, there may be a 30-second
> > pause before a client retry unblocks the caller.
> > 
> > Also, the NSM (status monitor) exchanges are often performed via UDP.
> > Again, if you are using NLM and the server reboots, the client may not
> > become aware of this promptly, and lock reclaim will be affected.
> > 
> > OTOH, if your applications don't use locking on the NFS mounts, you'll
> > probably be fine.
> 
> We do use locking on nfs mounts, so I wonder what that would mean for the
> firewall. Currently I see connections from the NFS server *from* port 700
> and 111 (we've fixed mountd port to 700) to (it seems) arbitrary udp
> ports on the NFS clients.
> 
> Would that be enough to allow those? Or could the source ports be arbitrary
> with NLM, too? I.e., would we have to open all udp traffic from the NFS
> servers to all the NFS clients?

Most NFS servers allow you to pin the ports used by the lockd service.
In Linux, the kernel boot parameters lockd.nlm_tcpport and
lockd.nlm_udpport will suffice to do it for you (see
linux/Documentation/kernel-parameters.txt).

Trond


------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
_______________________________________________
Please note that nfs@lists.sourceforge.net is being discontinued.
Please subscribe to linux-nfs@vger.kernel.org instead.
    http://vger.kernel.org/vger-lists.html#linux-nfs