RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

When connecting from an NFSv3 client with an iptables firewall turned on, the client fails to mount due to RPC replies coming from the node IP and not the cluster IP that the request was made to e.g.

19:16:09.614792 IP client1.53252 > clunfshomes.sunrpc: UDP, length 40
19:16:09.615099 IP node2.sunrpc > client1.53252: UDP, length 24
19:16:09.615141 IP client1 > node2: ICMP host client1 unreachable - admin prohibited, length 60

Works fine with iptables stopped.

I have tried adding in an /etc/sysconfig/rpcbind with the IP's of the cluster NFS service IP's. e.g

RPCBIND_ARGS="-h 10.10.1.14 -h 10.10.1.2"

But this doesn't help. I now get:

19:54:47.764270 IP client1.57371 > node2.sunrpc: UDP, length 40
19:54:47.764476 IP node2 > client1: ICMP node2 udp port sunrpc unreachable, length 76

Maybe node IP needs to be up before rpcbind can be passed the -h flag? I'm not sure?

Wasn't sure where this should go in bugzilla. It's an issue likely only to occur in clustered NFS so logged to the RA. Not really a bug in rpcbind. It would be a documentation issue if I knew how to fix this?

The only workaround I know are to full open to all RPC replies or src IP's from the node IP's.

Moving to nfs-utils, though I suspect there is no "fix" for this.  This is because when we send a reply packet to a host using UDP, it will be routed from the primary IP instead of the VIP.

I think this is now fixed in RH 6.1. I just haven't closed as I haven't tested on the production cluster. It seems to work on my test system with two IP's on one card.

I opened this as a support call through Dell (who provide RH support on our cluster) and they escalated to RH, so seems to have been fixed given the "Technical Notes" (and what I'm told).

Note 1.131. libtirpc

1.131.1. RHBA-2011:0747: bug fix update

In a multi-homed NFS server with two IP addresses on the same subnet, mount operations sent to one IP address would result in a reply from the other IP address. This is now fixed to ensure that a mount request to one IP address elicits a response from the same IP address. (BZ#676234)

This is now resolved in 6.1, I have checked it and it works fine now.

Closing due to https://bugzilla.redhat.com/show_bug.cgi?id=689589#c5