Bug 689589 - Using nfsclient RA NFSv3 clients with iptables fail
Using nfsclient RA NFSv3 clients with iptables fail
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nfs-utils (Show other bugs)
6.0
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Steve Dickson
yanfu,wang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-21 16:29 EDT by Colin.Simpson
Modified: 2011-08-11 12:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-11 12:49:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Colin.Simpson 2011-03-21 16:29:59 EDT
Description of problem:

When connecting from an NFSv3 client with an iptables firewall turned on, the client fails to mount due to RPC replies coming from the node IP and not the cluster IP that the request was made to e.g.

19:16:09.614792 IP client1.53252 > clunfshomes.sunrpc: UDP, length 40
19:16:09.615099 IP node2.sunrpc > client1.53252: UDP, length 24
19:16:09.615141 IP client1 > node2: ICMP host client1 unreachable - admin prohibited, length 60

Works fine with iptables stopped.

I have tried adding in an /etc/sysconfig/rpcbind with the IP's of the cluster NFS service IP's. e.g

RPCBIND_ARGS="-h 10.10.1.14 -h 10.10.1.2"

But this doesn't help. I now get:

19:54:47.764270 IP client1.57371 > node2.sunrpc: UDP, length 40
19:54:47.764476 IP node2 > client1: ICMP node2 udp port sunrpc unreachable, length 76

Maybe node IP needs to be up before rpcbind can be passed the -h flag? I'm not sure?

Wasn't sure where this should go in bugzilla. It's an issue likely only to occur in clustered NFS so logged to the RA. Not really a bug in rpcbind. It would be a documentation issue if I knew how to fix this?

The only workaround I know are to full open to all RPC replies or src IP's from the node IP's.
Comment 4 Lon Hohberger 2011-05-27 11:50:41 EDT
Moving to nfs-utils, though I suspect there is no "fix" for this.  This is because when we send a reply packet to a host using UDP, it will be routed from the primary IP instead of the VIP.
Comment 5 Colin.Simpson 2011-05-27 12:37:35 EDT
I think this is now fixed in RH 6.1. I just haven't closed as I haven't tested on the production cluster. It seems to work on my test system with two IP's on one card.

I opened this as a support call through Dell (who provide RH support on our cluster) and they escalated to RH, so seems to have been fixed given the "Technical Notes" (and what I'm told).

Note 1.131. libtirpc

1.131.1. RHBA-2011:0747: bug fix update

In a multi-homed NFS server with two IP addresses on the same subnet, mount operations sent to one IP address would result in a reply from the other IP address. This is now fixed to ensure that a mount request to one IP address elicits a response from the same IP address. (BZ#676234)
Comment 6 Colin.Simpson 2011-07-14 05:44:19 EDT
This is now resolved in 6.1, I have checked it and it works fine now.
Comment 7 Steve Dickson 2011-08-11 12:49:27 EDT
Closing due to https://bugzilla.redhat.com/show_bug.cgi?id=689589#c5

Note You need to log in before you can comment on or make changes to this bug.