Bug 689589 - Using nfsclient RA NFSv3 clients with iptables fail
Summary: Using nfsclient RA NFSv3 clients with iptables fail
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nfs-utils
Version: 6.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: yanfu,wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-21 20:29 UTC by Colin.Simpson
Modified: 2011-08-11 16:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-11 16:49:27 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Colin.Simpson 2011-03-21 20:29:59 UTC 
Description of problem:

When connecting from an NFSv3 client with an iptables firewall turned on, the client fails to mount due to RPC replies coming from the node IP and not the cluster IP that the request was made to e.g.

19:16:09.614792 IP client1.53252 > clunfshomes.sunrpc: UDP, length 40
19:16:09.615099 IP node2.sunrpc > client1.53252: UDP, length 24
19:16:09.615141 IP client1 > node2: ICMP host client1 unreachable - admin prohibited, length 60

Works fine with iptables stopped.

I have tried adding in an /etc/sysconfig/rpcbind with the IP's of the cluster NFS service IP's. e.g

RPCBIND_ARGS="-h 10.10.1.14 -h 10.10.1.2"

But this doesn't help. I now get:

19:54:47.764270 IP client1.57371 > node2.sunrpc: UDP, length 40
19:54:47.764476 IP node2 > client1: ICMP node2 udp port sunrpc unreachable, length 76

Maybe node IP needs to be up before rpcbind can be passed the -h flag? I'm not sure?

Wasn't sure where this should go in bugzilla. It's an issue likely only to occur in clustered NFS so logged to the RA. Not really a bug in rpcbind. It would be a documentation issue if I knew how to fix this?

The only workaround I know are to full open to all RPC replies or src IP's from the node IP's.
Comment 4 Lon Hohberger 2011-05-27 15:50:41 UTC 
Moving to nfs-utils, though I suspect there is no "fix" for this.  This is because when we send a reply packet to a host using UDP, it will be routed from the primary IP instead of the VIP.
Comment 5 Colin.Simpson 2011-05-27 16:37:35 UTC 
I think this is now fixed in RH 6.1. I just haven't closed as I haven't tested on the production cluster. It seems to work on my test system with two IP's on one card.

I opened this as a support call through Dell (who provide RH support on our cluster) and they escalated to RH, so seems to have been fixed given the "Technical Notes" (and what I'm told).

Note 1.131. libtirpc

1.131.1. RHBA-2011:0747: bug fix update

In a multi-homed NFS server with two IP addresses on the same subnet, mount operations sent to one IP address would result in a reply from the other IP address. This is now fixed to ensure that a mount request to one IP address elicits a response from the same IP address. (BZ#676234)
Comment 6 Colin.Simpson 2011-07-14 09:44:19 UTC 
This is now resolved in 6.1, I have checked it and it works fine now.
Comment 7 Steve Dickson 2011-08-11 16:49:27 UTC 
Closing due to https://bugzilla.redhat.com/show_bug.cgi?id=689589#c5
Note You need to log in before you can comment on or make changes to this bug.