Re: RPC request sent to 127.0.0.1 becomes from other IP on machine
Ok, I had a hunch it was related to the use of jails. I am just testing a patch that switches the nfsuserd over to using an af_local socket, so this will be avoided. (I think it makes more sense anyhow. I just never got around to doing it.;-) Thanks for the info, rick - Original Message - > On Thu, 10 Dec 2015, Rick Macklem wrote: > > > Hi, > > > > Mark has reported a problem via email where the nfsuserd daemon sees > > requests coming from an IP# assigned to the machine instead of 127.0.0.1. > > Here's a snippet from his message: > > Ok, I have Plex in a jail and when I scan the remote NFS file share the > > *local* server's nfsuserd spams the logs. > > Spamming the logs refers to the messages nfsuserd generates when it gets > > a request from an address other than 127.0.0.1. > > > > I think the best solution is to switch nfsuserd over to using an AF_LOCAL > > socket like the gssd uses, but that will take a little coding and probably > > won't be MFCable. > > > > I've sent him the attached patch to try as a workaround. > > > > Does anyone happen to know under what circumstances the address 127.0.0.1 > > gets replaced? > > My memory is quite hazy on this subject, but I think that outbound traffic > from a jail is not permitted to use the system loopback address 127.0.0.1; > traffic from this address within a jail gets replace with the jail's > primary IP address. It is possible to specify an alternate loopback > address for use within the jail (e.g., 127.0.0.2) and if that alternate > address is only bound within the jail, it can be used for outgoing traffic > to the host. See jail.conf(5); I appear to have something like: > > kduck { > host.hostname = "kduck.mit.edu"; > ip4.addr = lo0|127.0.0.2, 18.18.0.52; > [...] > } > > Note that there may be some additional magic about the primary address of > the jail being first (or last?) in the list of addresses. > > -Ben > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: RPC request sent to 127.0.0.1 becomes from other IP on machine
On Thu, 10 Dec 2015, Rick Macklem wrote: > Hi, > > Mark has reported a problem via email where the nfsuserd daemon sees > requests coming from an IP# assigned to the machine instead of 127.0.0.1. > Here's a snippet from his message: > Ok, I have Plex in a jail and when I scan the remote NFS file share the > *local* server's nfsuserd spams the logs. > Spamming the logs refers to the messages nfsuserd generates when it gets > a request from an address other than 127.0.0.1. > > I think the best solution is to switch nfsuserd over to using an AF_LOCAL > socket like the gssd uses, but that will take a little coding and probably > won't be MFCable. > > I've sent him the attached patch to try as a workaround. > > Does anyone happen to know under what circumstances the address 127.0.0.1 > gets replaced? My memory is quite hazy on this subject, but I think that outbound traffic from a jail is not permitted to use the system loopback address 127.0.0.1; traffic from this address within a jail gets replace with the jail's primary IP address. It is possible to specify an alternate loopback address for use within the jail (e.g., 127.0.0.2) and if that alternate address is only bound within the jail, it can be used for outgoing traffic to the host. See jail.conf(5); I appear to have something like: kduck { host.hostname = "kduck.mit.edu"; ip4.addr = lo0|127.0.0.2, 18.18.0.52; [...] } Note that there may be some additional magic about the primary address of the jail being first (or last?) in the list of addresses. -Ben ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: RPC request sent to 127.0.0.1 becomes from other IP on machine
On Thu, Dec 10, 2015, at 07:37, Rick Macklem wrote: > Hi, > > Mark has reported a problem via email where the nfsuserd daemon sees > requests coming from an IP# assigned to the machine instead of 127.0.0.1. > Here's a snippet from his message: > Ok, I have Plex in a jail and when I scan the remote NFS file share the > *local* server's nfsuserd spams the logs. > Spamming the logs refers to the messages nfsuserd generates when it gets > a request from an address other than 127.0.0.1. > > I think the best solution is to switch nfsuserd over to using an AF_LOCAL > socket like the gssd uses, but that will take a little coding and > probably > won't be MFCable. > > I've sent him the attached patch to try as a workaround. > > Does anyone happen to know under what circumstances the address 127.0.0.1 > gets replaced? > > And do you know if it will always be replaced with the same > address? > (I'm basically wondering if the workaround needs to be a list of IP > addresses > instead of a single address?) > > Thanks in advance for any help with this, rick > I've opened a PR per your request https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205193 -- Mark Felder ports-secteam member f...@freebsd.org ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: RPC request sent to 127.0.0.1 becomes from other IP on machine
I think a local socket is probably the best solution long term. Using a local socket also allows using filesystem permissions to control access which is required for gssd but not necessarily for nfsuserd. On 10 December 2015 at 13:37, Rick Macklem wrote: > Hi, > > Mark has reported a problem via email where the nfsuserd daemon sees > requests coming from an IP# assigned to the machine instead of 127.0.0.1. > Here's a snippet from his message: > Ok, I have Plex in a jail and when I scan the remote NFS file share the > *local* server's nfsuserd spams the logs. > Spamming the logs refers to the messages nfsuserd generates when it gets > a request from an address other than 127.0.0.1. > > I think the best solution is to switch nfsuserd over to using an AF_LOCAL > socket like the gssd uses, but that will take a little coding and probably > won't be MFCable. > > I've sent him the attached patch to try as a workaround. > > Does anyone happen to know under what circumstances the address 127.0.0.1 > gets replaced? > > And do you know if it will always be replaced with the same > address? > (I'm basically wondering if the workaround needs to be a list of IP > addresses > instead of a single address?) > > Thanks in advance for any help with this, rick > > > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
RPC request sent to 127.0.0.1 becomes from other IP on machine
Hi, Mark has reported a problem via email where the nfsuserd daemon sees requests coming from an IP# assigned to the machine instead of 127.0.0.1. Here's a snippet from his message: Ok, I have Plex in a jail and when I scan the remote NFS file share the *local* server's nfsuserd spams the logs. Spamming the logs refers to the messages nfsuserd generates when it gets a request from an address other than 127.0.0.1. I think the best solution is to switch nfsuserd over to using an AF_LOCAL socket like the gssd uses, but that will take a little coding and probably won't be MFCable. I've sent him the attached patch to try as a workaround. Does anyone happen to know under what circumstances the address 127.0.0.1 gets replaced? And do you know if it will always be replaced with the same address? (I'm basically wondering if the workaround needs to be a list of IP addresses instead of a single address?) Thanks in advance for any help with this, rick --- nfsuserd.c.sav 2015-12-09 18:46:29.284972000 -0500 +++ nfsuserd.c 2015-12-09 18:59:33.564498000 -0500 @@ -40,6 +40,10 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse #include #include +#include + +#include + #include #include @@ -94,6 +98,7 @@ gid_t defaultgid = (gid_t)32767; int verbose = 0, im_a_slave = 0, nfsuserdcnt = -1, forcestart = 0; int defusertimeout = DEFUSERTIMEOUT, manage_gids = 0; pid_t slaves[MAXNFSUSERD]; +struct in_addr fromip; int main(int argc, char *argv[]) @@ -144,6 +149,7 @@ main(int argc, char *argv[]) } } } + fromip.s_addr = inet_addr("127.0.0.1"); nid.nid_usermax = DEFUSERMAX; nid.nid_usertimeout = defusertimeout; @@ -190,6 +196,15 @@ main(int argc, char *argv[]) usage(); } nid.nid_usertimeout = defusertimeout = i * 60; + } else if (!strcmp(*argv, "-fromip")) { + if (argc == 1) +usage(); + argc--; + argv++; + if (inet_aton(*argv, &fromip) == 0) { +fprintf(stderr, "Bad -fromip %s\n", *argv); +usage(); + } } else if (nfsuserdcnt == -1) { nfsuserdcnt = atoi(*argv); if (nfsuserdcnt < 1) @@ -458,22 +473,22 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXP u_short sport; struct info info; struct nfsd_idargs nid; - u_int32_t saddr; gid_t grps[NGROUPS]; int ngroup; /* - * Only handle requests from 127.0.0.1 on a reserved port number. + * Only handle requests from 127.0.0.1 on a reserved port number, + * unless the "-fromip" specified a different address. * (Since a reserved port # at localhost implies a client with * local root, there won't be a security breach. This is about * the only case I can think of where a reserved port # means * something.) */ sport = ntohs(transp->xp_raddr.sin_port); - saddr = ntohl(transp->xp_raddr.sin_addr.s_addr); if ((rqstp->rq_proc != NULLPROC && sport >= IPPORT_RESERVED) || - saddr != 0x7f01) { - syslog(LOG_ERR, "req from ip=0x%x port=%d\n", saddr, sport); + transp->xp_raddr.sin_addr.s_addr != fromip.s_addr) { + syslog(LOG_ERR, "req from ip=%s port=%d\n", + inet_ntoa(transp->xp_raddr.sin_addr), sport); svcerr_weakauth(transp); return; } @@ -721,5 +736,5 @@ usage(void) { errx(1, - "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [n]"); + "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [-fromip xx.xx.xx.xx] [n]"); } --- nfsuserd.8.sav 2015-12-09 19:13:48.173812000 -0500 +++ nfsuserd.8 2015-12-09 19:19:38.522516000 -0500 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD: head/usr.sbin/nfsuserd/nfsuserd.8 276258 2014-12-26 21:56:23Z joel $ .\" -.Dd November 1, 2015 +.Dd December 9, 2015 .Dt NFSUSERD 8 .Os .Sh NAME @@ -37,6 +37,7 @@ services plus support manage-gids for al .Op Fl domain Ar domain_name .Op Fl usertimeout Ar minutes .Op Fl usermax Ar max_cache_size +.Op Fl fromip Ar ip_address .Op Fl verbose .Op Fl force .Op Fl manage-gids @@ -76,6 +77,21 @@ the more kernel memory is used, but the system can afford the memory use, make this the sum of the number of entries in your group and password databases. The default is 200 entries. +.It Fl fromip Ar ip_address +This overrides the default upcall from address of 127.0.0.1. +Although the upcall connection is done to 127.0.0.1, some network +configurations will result in another IP address assigned to the machine +as the from address. +If you get syslog messages like: +.sp +.nf +Dec 9 19:03:20 nfsv4-laptop nfsuserd:[506]: req from ip=131.104.48.17 port=861 +.fi +.sp +then you should use this option to set the from IP address to the one in +the message. +Only do this for IP addresses assigned to the machine this daemon is running +on. .It Fl verbose When set, the server logs a bunch of information to syslog. .It Fl force ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send