Red Hat Bugzilla – Bug 689589
Using nfsclient RA NFSv3 clients with iptables fail
Last modified: 2011-08-11 12:49:27 EDT
Description of problem:
When connecting from an NFSv3 client with an iptables firewall turned on, the client fails to mount due to RPC replies coming from the node IP and not the cluster IP that the request was made to e.g.
19:16:09.614792 IP client1.53252 > clunfshomes.sunrpc: UDP, length 40
19:16:09.615099 IP node2.sunrpc > client1.53252: UDP, length 24
19:16:09.615141 IP client1 > node2: ICMP host client1 unreachable - admin prohibited, length 60
Works fine with iptables stopped.
I have tried adding in an /etc/sysconfig/rpcbind with the IP's of the cluster NFS service IP's. e.g
RPCBIND_ARGS="-h 10.10.1.14 -h 10.10.1.2"
But this doesn't help. I now get:
19:54:47.764270 IP client1.57371 > node2.sunrpc: UDP, length 40
19:54:47.764476 IP node2 > client1: ICMP node2 udp port sunrpc unreachable, length 76
Maybe node IP needs to be up before rpcbind can be passed the -h flag? I'm not sure?
Wasn't sure where this should go in bugzilla. It's an issue likely only to occur in clustered NFS so logged to the RA. Not really a bug in rpcbind. It would be a documentation issue if I knew how to fix this?
The only workaround I know are to full open to all RPC replies or src IP's from the node IP's.
Moving to nfs-utils, though I suspect there is no "fix" for this. This is because when we send a reply packet to a host using UDP, it will be routed from the primary IP instead of the VIP.
I think this is now fixed in RH 6.1. I just haven't closed as I haven't tested on the production cluster. It seems to work on my test system with two IP's on one card.
I opened this as a support call through Dell (who provide RH support on our cluster) and they escalated to RH, so seems to have been fixed given the "Technical Notes" (and what I'm told).
Note 1.131. libtirpc
1.131.1. RHBA-2011:0747: bug fix update
In a multi-homed NFS server with two IP addresses on the same subnet, mount operations sent to one IP address would result in a reply from the other IP address. This is now fixed to ensure that a mount request to one IP address elicits a response from the same IP address. (BZ#676234)
This is now resolved in 6.1, I have checked it and it works fine now.
Closing due to https://bugzilla.redhat.com/show_bug.cgi?id=689589#c5