[newbie] NFS client: port-unreachable

[newbie] NFS client: port-unreachable

[Roland Kuhn]

Hi folks!

When I lstat64 a directory on an nfs mount the answer to GETATTR is
received by the network interface but dropped (not seen by the client)
afterwards. Only 50musec after the receive of the answer an
icmp-destination-unreachable (port-unreachable) goes out to the server.
This is annoying since it blocks all access to that directory.
The request in question is sent and received at port 772.

I'm using kernel 2.4.4.

Please help,
					Roland

Re: [newbie] NFS client: port-unreachable

[Trond Myklebust]

>>>>> " " == Roland Kuhn <rkuhn@e18.physik.tu-muenchen.de> writes:

     > Hi folks!  When I lstat64 a directory on an nfs mount the
     > answer to GETATTR is received by the network interface but
     > dropped (not seen by the client) afterwards. Only 50musec after
     > the receive of the answer an icmp-destination-unreachable
     > (port-unreachable) goes out to the server.  This is annoying
     > since it blocks all access to that directory.  The request in
     > question is sent and received at port 772.

     > I'm using kernel 2.4.4.

You probably have set ipchains or ipfilter to block port 772 on your
client.

Cheers,
  Trond

Re: [newbie] NFS client: port-unreachable

[Roland Kuhn]

On 1 Jun 2001, Trond Myklebust wrote:

>      > (port-unreachable) goes out to the server.  This is annoying
>      > since it blocks all access to that directory.  The request in
>      > question is sent and received at port 772.
>
>      > I'm using kernel 2.4.4.
>
> You probably have set ipchains or ipfilter to block port 772 on your
> client.
No, I have no port specific rules in the firewall (iptables), but this
machine does SNAT for 32 other linux boxes which also get some directories
from the same server (including YP). I had some trouble with the
YPSERV-calls until I bound two more IPs to the network card and
masqueraded the 32 boxes via these additional addresses. What might happen
is that the specific port gets allocated by some port remapping in
iptables during the request, but I don't see why this should happen only
for specific directories (e.g. /home works and /compass doesn't while
both are from the same server).

Ciao,
					Roland

Re: [newbie] NFS client: port-unreachable

[Trond Myklebust]

>>>>> " " == Roland Kuhn <rkuhn@e18.physik.tu-muenchen.de> writes:

     > No, I have no port specific rules in the firewall (iptables),
     > but this machine does SNAT for 32 other linux boxes which also
     > get some directories from the same server (including YP). I had
     > some trouble with the YPSERV-calls until I bound two more IPs
     > to the network card and masqueraded the 32 boxes via these
     > additional addresses. What might happen is that the specific
     > port gets allocated by some port remapping in iptables during
     > the request, but I don't see why this should happen only for
     > specific directories (e.g. /home works and /compass doesn't
     > while both are from the same server).

Are /home and /compass on the same mount point on the client though? 
If not, then they won't share the same port.

IOW: they will only share the same port if you have '/' as the NFS
mountpoint.

Cheers,
  Trond

iptables port remapping problem (was: [newbie] NFS client: port-unreachable)

[Roland Kuhn]

On Sun, 3 Jun 2001, Trond Myklebust wrote:

> Are /home and /compass on the same mount point on the client though?
> If not, then they won't share the same port.
>
> IOW: they will only share the same port if you have '/' as the NFS
> mountpoint.

When I mount via nfs each mount gets its own local port to communicate
with the server. Looking at /proc/net/ip_conntrack I see that one such
port (797) got remapped to 772, so I see packets emerging from 772 and
getting back from the server, but the mapping is not done upon receive, so
that it does not reach port 797 (where it originally came from) but port
772 which has no process attached. This results in an ICMP_PORT_UNREACH to
the server and an nfs client not getting an answer. This problem can be
cured by 'rmmod ip_conntrack' and restarting the firewall, which is not a
good solution.

My conclusion: Either iptables has a problem when remapping ports under
moderate load (several RPCs masqueraded per second) or the nfs-client does
not properly reserve the local port when mounting.

BTW: I use util-linux-2.11d but still get 'nfs warning: mount version
older than kernel'.

DETAILS: I have a DECstation being nis domain server and nfs server for
/home, /compass, /usr/local and some other things (all different
directories on the server, I have given the mount points for the clients).
There are a dozen clients being served without problems, mostly running
2.2.14 (RedHat 6.2), some 2.4.2 (SuSE 7.1). Besides I have another server
(RedHat 7.1, kernel 2.4.4 with knfsd-reiserfs-patch from namesys.com),
which also mounts /home and /compass from the DEC and serves some internal
disk space to a linux cluster (RedHat 6.2). This server has IP 217, but
masquerades (via iptables -j SNAT) the cluster as having IPs 218 or 219
(roughly half of the 32 machines on each address), since the cluster
machines have no other connection to the internet because we ran out of
IPs.

Ciao,
					Roland

+-----------------------------------------------------+
|    Tel.:    089/32649332        0561/873744         |
|    in       Radeberger Weg 8    Am Fasanenhof 16    |
|             85748 Garching      34125 Kassel        |
+---------------------------+-------------------------+
|    Physik-Department E18  |  Raum    3558           |
|    James-Franck-Str.      |  Telefon 089/289-12592  |
|    85747 Garching         |                         |
+---------------------------+-------------------------+
|             May the Source be with you!             |
+-----------------------------------------------------+