From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: netdev@oss.sgi.com
Subject: [Fwd: [Bug 5644] New: NFS v3 TCP 3-way handshake incorrect, iptables blocks access]
Date: Wed, 23 Nov 2005 12:51:16 -0500 [thread overview]
Message-ID: <1132768276.8016.31.camel@lade.trondhjem.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 151 bytes --]
Sorry to be cross-posting, but does this bug ring any bells? I'm having
trouble seeing how the sunrpc server code could be at fault.
Cheers,
Trond
[-- Attachment #2: Forwarded message - [Bug 5644] New: NFS v3 TCP 3-way handshake incorrect, iptables blocks access --]
[-- Type: message/rfc822, Size: 4262 bytes --]
From: bugme-daemon@bugzilla.kernel.org
To: trond.myklebust@fys.uio.no
Subject: [Bug 5644] New: NFS v3 TCP 3-way handshake incorrect, iptables blocks access
Date: Wed, 23 Nov 2005 08:03:52 -0800
Message-ID: <200511231603.jANG3qDT026280@fire-2.osdl.org>
http://bugzilla.kernel.org/show_bug.cgi?id=5644
Summary: NFS v3 TCP 3-way handshake incorrect, iptables blocks
access
Kernel Version: 2.6.14
Status: NEW
Severity: blocking
Owner: trond.myklebust@fys.uio.no
Submitter: jl-icase@comcast.net
Most recent kernel where this bug did not occur:
Distribution: Can't remember, possibly FC2.
Hardware Environment:
Software Environment:
Problem Description:
Steps to reproduce:
1. Boot NFS v3 TCP client running iptables & mount NFS filesystem
2. Do a normal NFS client reboot & try mounting the same filesystem again
3. Experience intermittent failure to read superblock
The cause of this problem is NFS server's improper response to SYN packet sent
by the client. This occurs *after* successful client authorization, when the
client tries to open the connection (i.e. sends SYN to the server's nfs port) to
read the superblock. The server (sometimes) responds with a pure ACK without
the SYN bit set. This is blocked by iptables -- thus, mount fails with a "could
not read superblock" message.
Here is an excerpt from ethereal log:
3 0.021733 client SERVER TCP 800 > nfs [SYN]
Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=24095 TSER=0 WS=2
4 0.021846 SERVER client TCP nfs > 800 [ACK]
Seq=9138391 Ack=3580883479 Win=16022 Len=0 TSV=244936050 TSER=1149400
5 0.021864 client SERVER ICMP Destination
unreachable (Host administratively prohibited)
The above problem occurs with a very simple default+ssh iptables configuration.
Disabling iptables on the client makes the problem go away. Even with iptables
active, there is no problem when nfsd responds with a proper [SYN,ACK] instead
of just pure ACK (this happens intermittently after the client reboot).
Please fix nfsd so that it reliably responds to SYN packets with proper
[SYN,ACK] packets instead of just ACK packets. Apparently, nfsd state doesn't
get properly reset on client reboots. Other people have reported autofs
failures which may be related (e.g. on remounts).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
reply other threads:[~2005-11-23 17:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1132768276.8016.31.camel@lade.trondhjem.org \
--to=trond.myklebust@fys.uio.no \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox