2005-04-08 13:25:18

by Chris Penney

[permalink] [raw]
Subject: NAT & lockd

I have an new NFS server (2.6.11.5 w/ NFS-ALL) that serves some
clients that sit behind a NAT box (linux clusters). It replaced a
SLES 8 file server. The NAT box is a old RH8 box (soone to be
upgraded to SLES 9). On the new NFS server I'm getting the following
messages from lockd:

nsm_mon_unmon: rpc failed, status=-13
lockd: cannot monitor x.x.x.x

With our old NFS server I never got any messages. The IP address
x.x.x.x is that of the NAT box. I'm curious if this means locking
does not work behind nat or if it means something else. Is there
anything I can do here? Would a 2.6.x based NAT box have a more up to
date iptables that supports lockd? This is non-critical, I'm just
trying to understand.

Chris


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs


2005-04-08 13:40:08

by Trond Myklebust

[permalink] [raw]
Subject: Re: NAT & lockd

fr den 08.04.2005 Klokka 09:25 (-0400) skreiv Chris Penney:

> nsm_mon_unmon: rpc failed, status=-13
> lockd: cannot monitor x.x.x.x
>
> With our old NFS server I never got any messages. The IP address
> x.x.x.x is that of the NAT box. I'm curious if this means locking
> does not work behind nat or if it means something else. Is there
> anything I can do here? Would a 2.6.x based NAT box have a more up to
> date iptables that supports lockd? This is non-critical, I'm just
> trying to understand.

Locking under NFSv2/v3 is not very NAT or firewall-friendly and was one
of the motivations for developing NFSv4.

The problem is that under NFSv2/v3, the protocol requires bi-directional
communication (by which I mean that the server needs to be able to
connect to the client, which is a problem for NAT as you can see above)
and requires a bunch of helper-protocols that use different ports (which
is a problem for firewalls).

Cheers,
Trond
--
Trond Myklebust <[email protected]>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs

2005-04-08 14:08:08

by Chris Penney

[permalink] [raw]
Subject: Re: NAT & lockd

> > nsm_mon_unmon: rpc failed, status=-13
> > lockd: cannot monitor x.x.x.x
> >
> > With our old NFS server I never got any messages. The IP address
> > x.x.x.x is that of the NAT box. I'm curious if this means locking
> > does not work behind nat or if it means something else. Is there
> > anything I can do here? Would a 2.6.x based NAT box have a more up to
> > date iptables that supports lockd? This is non-critical, I'm just
> > trying to understand.
>
> Locking under NFSv2/v3 is not very NAT or firewall-friendly and was one
> of the motivations for developing NFSv4.
>
> The problem is that under NFSv2/v3, the protocol requires bi-directional
> communication (by which I mean that the server needs to be able to
> connect to the client, which is a problem for NAT as you can see above)
> and requires a bunch of helper-protocols that use different ports (which
> is a problem for firewalls).

In this situation (behind NAT), what happens with the client? Will a
lock request fail or simply appear to always work?

Do I need to be concerned about the server reliability at all (ie. are
the messages harmless other than obviously the files not really being
locked)?

Thanks for the fast reply,

Chris


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs

2005-04-08 15:13:01

by Trond Myklebust

[permalink] [raw]
Subject: Re: NAT & lockd

fr den 08.04.2005 Klokka 10:08 (-0400) skreiv Chris Penney:

> In this situation (behind NAT), what happens with the client? Will a
> lock request fail or simply appear to always work?
>

The server will refuse to grant the lock if it fails to set up
monitoring with the client, so you should be "safe".

Cheers,
Trond
--
Trond Myklebust <[email protected]>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs