On Jun 4, 2009, at 6:36 PM, Nils Goroll wrote: > Robert, > > thank you for your explanation. I was expecting something like this. > > All, > > Maybe someone can help me with the issue I am working on - and which > is the reason why I was looking for the lockd source: > > For some reason, some part of the lock manager code (should be > something called from lm_frlock, see > http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/fs/nfs/nfs3_vnops.c#5456) > > makes a portmapper call via TCP, snoop output: > > client -> server TCP D=111 S=824 Ack=3432375581 Seq=1362221294 > Len=0 Win=49640 > client -> server PORTMAP C GETPORT prog=100021 (NLM) vers=4 > proto=TCP > server -> client TCP D=824 S=111 Ack=1362221426 Seq=3432375581 > Len=0 Win=49640 > server -> client PORTMAP R GETPORT port=4045 > client -> server TCP D=111 S=824 Ack=3432375613 Seq=1362221426 > Len=0 Win=49640 > client -> server NLM C LOCK4 OH=3C00 FH=C228 PID=13737 Region=0:0 > server -> client NLM R LOCK4 OH=3C00 granted > > The issue here is that a firewall between the client and the server > (Checkpoint FW-1) can inspect portmapper calls and dynamically open > the respective ports ("RPC inspection"). I does not, however, > prevent RCP proxy calls through 111/tcp, so 111/tcp should usually > remain closed because opening it will effectively disable RPC > inspection. > > What I would like to see is the NLM code making portmapper calls via > UDP. > > Is there any way to configure this? If not, would anyone with access > to the lockmanager code be willing to fix this issue (make the > transport protocol configurable)? > > All help is greatly appreciated,
Hmm.. Nothing in /etc/default/nfs .. If i had to guess i'd suspect that NLM uses the same transport as the NFS mount, this is based on this comment: http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/nfs/nfs_clnt.h#298 I guess you could test that using proto=udp,vers=3 .. (just a WAG .. ) Robert.
