From: Chuck Lever <chuck.lever@oracle.com>
To: Trond Myklebust <trondmy@kernel.org>, linux-nfs@vger.kernel.org
Cc: Mike Snitzer <snitzer@kernel.org>,
Olga Kornievskaia <okorniev@redhat.com>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH 3/4] pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS
Date: Sun, 19 Oct 2025 13:11:42 -0400 [thread overview]
Message-ID: <8678fb71-ef4f-4bdd-b233-24c5ef3c27b6@oracle.com> (raw)
In-Reply-To: <816ed47531df15f4e64c54df181ffc59827d18fe.1760831906.git.trond.myklebust@hammerspace.com>
On 10/18/25 8:10 PM, Trond Myklebust wrote:
> From: Trond Myklebust <trond.myklebust@hammerspace.com>
>
> The default setting for the transport security policy must be
> RPC_XPRTSEC_NONE, when using a TCP or RDMA connection without TLS.
> Conversely, when using TLS, the security policy needs to be set.
That matches my understanding.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
>
> Fixes: 6c0a8c5fcf71 ("NFS: Have struct nfs_client carry a TLS policy field")
> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
> ---
> fs/nfs/nfs3client.c | 14 ++++++++++++--
> fs/nfs/nfs4client.c | 14 ++++++++++++--
> 2 files changed, 24 insertions(+), 4 deletions(-)
>
> diff --git a/fs/nfs/nfs3client.c b/fs/nfs/nfs3client.c
> index 0d7310c1ee0c..5d97c1d38bb6 100644
> --- a/fs/nfs/nfs3client.c
> +++ b/fs/nfs/nfs3client.c
> @@ -2,6 +2,7 @@
> #include <linux/nfs_fs.h>
> #include <linux/nfs_mount.h>
> #include <linux/sunrpc/addr.h>
> +#include <net/handshake.h>
> #include "internal.h"
> #include "nfs3_fs.h"
> #include "netns.h"
> @@ -98,7 +99,11 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv,
> .net = mds_clp->cl_net,
> .timeparms = &ds_timeout,
> .cred = mds_srv->cred,
> - .xprtsec = mds_clp->cl_xprtsec,
> + .xprtsec = {
> + .policy = RPC_XPRTSEC_NONE,
> + .cert_serial = TLS_NO_CERT,
> + .privkey_serial = TLS_NO_PRIVKEY,
> + },
> .connect_timeout = connect_timeout,
> .reconnect_timeout = connect_timeout,
> };
> @@ -111,9 +116,14 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv,
> cl_init.hostname = buf;
>
> switch (ds_proto) {
> + case XPRT_TRANSPORT_TCP_TLS:
> + if (mds_clp->cl_xprtsec.policy != RPC_XPRTSEC_NONE)
> + cl_init.xprtsec = mds_clp->cl_xprtsec;
> + else
> + ds_proto = XPRT_TRANSPORT_TCP;
> + fallthrough;
> case XPRT_TRANSPORT_RDMA:
> case XPRT_TRANSPORT_TCP:
> - case XPRT_TRANSPORT_TCP_TLS:
> if (mds_clp->cl_nconnect > 1)
> cl_init.nconnect = mds_clp->cl_nconnect;
> }
> diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
> index 6fddf43d729c..bb4c41ad7134 100644
> --- a/fs/nfs/nfs4client.c
> +++ b/fs/nfs/nfs4client.c
> @@ -11,6 +11,7 @@
> #include <linux/sunrpc/xprt.h>
> #include <linux/sunrpc/bc_xprt.h>
> #include <linux/sunrpc/rpc_pipe_fs.h>
> +#include <net/handshake.h>
> #include "internal.h"
> #include "callback.h"
> #include "delegation.h"
> @@ -982,7 +983,11 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv,
> .net = mds_clp->cl_net,
> .timeparms = &ds_timeout,
> .cred = mds_srv->cred,
> - .xprtsec = mds_srv->nfs_client->cl_xprtsec,
> + .xprtsec = {
> + .policy = RPC_XPRTSEC_NONE,
> + .cert_serial = TLS_NO_CERT,
> + .privkey_serial = TLS_NO_PRIVKEY,
> + },
> };
> char buf[INET6_ADDRSTRLEN + 1];
>
> @@ -991,9 +996,14 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv,
> cl_init.hostname = buf;
>
> switch (ds_proto) {
> + case XPRT_TRANSPORT_TCP_TLS:
> + if (mds_srv->nfs_client->cl_xprtsec.policy != RPC_XPRTSEC_NONE)
> + cl_init.xprtsec = mds_srv->nfs_client->cl_xprtsec;
> + else
> + ds_proto = XPRT_TRANSPORT_TCP;
> + fallthrough;
> case XPRT_TRANSPORT_RDMA:
> case XPRT_TRANSPORT_TCP:
> - case XPRT_TRANSPORT_TCP_TLS:
> if (mds_clp->cl_nconnect > 1) {
> cl_init.nconnect = mds_clp->cl_nconnect;
> cl_init.max_connect = NFS_MAX_TRANSPORTS;
--
Chuck Lever
next prev parent reply other threads:[~2025-10-19 17:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-19 0:10 [PATCH 0/4] TLS fixes for 6.18 Trond Myklebust
2025-10-19 0:10 ` [PATCH 1/4] pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect() Trond Myklebust
2025-10-19 0:10 ` [PATCH 2/4] pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() Trond Myklebust
2025-10-19 0:10 ` [PATCH 3/4] pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS Trond Myklebust
2025-10-19 17:11 ` Chuck Lever [this message]
2025-10-19 0:10 ` [PATCH 4/4] NFS: Check the TLS certificate fields in nfs_match_client() Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8678fb71-ef4f-4bdd-b233-24c5ef3c27b6@oracle.com \
--to=chuck.lever@oracle.com \
--cc=hch@infradead.org \
--cc=linux-nfs@vger.kernel.org \
--cc=okorniev@redhat.com \
--cc=snitzer@kernel.org \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).