2008-08-19 21:15:43

by Chuck Lever III

[permalink] [raw]
Subject: use of non-privileged ports for MNT and NLM

Working on "resvport" mount option. Question occurred to me:

If I specify "noresvport" on a mount, can the client also use a non-
privileged port for the initial MNT request, and can it use it for the
NLM connection as well?

Question applies not just to Linux servers, but servers in general.
Brief searching on teh internets does not reveal a quick answer. I
think rpc.mountd will allow a non-privileged port for "insecure"
exports.

I think the answer is "yes, non-privileged ports can be used for MNT
and NLM if the server explicitly allows it" but I thought I would open
this up to the list.

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com


2008-08-19 21:22:13

by J. Bruce Fields

[permalink] [raw]
Subject: Re: use of non-privileged ports for MNT and NLM

On Tue, Aug 19, 2008 at 05:14:54PM -0400, Chuck Lever wrote:
> Working on "resvport" mount option. Question occurred to me:
>
> If I specify "noresvport" on a mount, can the client also use a non-
> privileged port for the initial MNT request, and can it use it for the
> NLM connection as well?
>
> Question applies not just to Linux servers, but servers in general.
> Brief searching on teh internets does not reveal a quick answer. I
> think rpc.mountd will allow a non-privileged port for "insecure"
> exports.

>From nfs-utils/utils/mountd/auth.c:auth_authenticate_internal():

if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) &&
(ntohs(caller->sin_port) < IPPORT_RESERVED/2 ||
ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
*error = illegal_port;
return NULL;
}

So assuming that function does what it name suggests, I think you're
right.

> I think the answer is "yes, non-privileged ports can be used for MNT and
> NLM if the server explicitly allows it" but I thought I would open this
> up to the list.

That's what I would have guessed.

And if the goal is to keep the number of reserved ports from being a
limit, it would be disappointing to eliminate only the ports used for
nfs itself.

--b.

2008-08-19 23:45:24

by Myklebust, Trond

[permalink] [raw]
Subject: Re: use of non-privileged ports for MNT and NLM

On Tue, 2008-08-19 at 17:14 -0400, Chuck Lever wrote:
> Working on "resvport" mount option. Question occurred to me:
>
> If I specify "noresvport" on a mount, can the client also use a non-
> privileged port for the initial MNT request, and can it use it for the
> NLM connection as well?
>
> Question applies not just to Linux servers, but servers in general.
> Brief searching on teh internets does not reveal a quick answer. I
> think rpc.mountd will allow a non-privileged port for "insecure"
> exports.
>
> I think the answer is "yes, non-privileged ports can be used for MNT
> and NLM if the server explicitly allows it" but I thought I would open
> this up to the list.

How about a default that tries to connect using an insecure port first,
then falls back to a secure port if the attempt fails?

Cheers
Trond

--
Trond Myklebust
Linux NFS client maintainer

NetApp
[email protected]
http://www.netapp.com