Return-Path: Received: from fieldses.org ([173.255.197.46]:44140 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750896AbeCHUYY (ORCPT ); Thu, 8 Mar 2018 15:24:24 -0500 Date: Thu, 8 Mar 2018 15:24:23 -0500 To: Chuck Lever Cc: Guillem Jover , libtirpc List , Linux NFS Mailing List Subject: Re: [PATCH] Do not bind to reserved ports registered in /etc/services Message-ID: <20180308202423.GA16485@fieldses.org> References: <20180110004920.11100-1-gjover@sipwise.com> <20180112184151.GA10261@thunder.hadrons.org> <9a53753a-56bf-12b5-f328-ff1f3a72249d@talpey.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: From: bfields@fieldses.org (J. Bruce Fields) Sender: linux-nfs-owner@vger.kernel.org List-ID: On Tue, Mar 06, 2018 at 01:09:01PM -0500, Chuck Lever wrote: > Note that neither of these solutions addresses the largest consumer > of dynamically-assigned reserved ports: the kernel NFS client. The > only way we have to address that today is the "noresvport" mount > option. (We could make that the default for Kerberos mounts). Makes sense to me. Looks like knfsd's not helpful here, though: the export option ("secure"/"insecure") defaults to "secure", which always requires a low port. It should be easy to modify "secure" to mean "require low ports only for auth_sys/auth_null", and that's probably the right thing to do. --b.