diff mbox

Problems mounting via UDP from a netapp with multiple interfaces

Message ID CALs61ucnKU5J8NJ-unJNsYw_zsPb+_aYbLqndc0yEbtirixqhw@mail.gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Gregory Boyce April 14, 2015, 7:39 p.m. UTC 
On Tue, Apr 14, 2015 at 3:37 PM, Gregory Boyce <gregory.boyce@gmail.com> wrote:
> On Fri, Apr 10, 2015 at 3:04 PM Gregory Boyce <gregory.boyce@gmail.com>
> wrote:
>>
>> On Fri, Apr 10, 2015 at 2:45 PM, Trond Myklebust
>> <trond.myklebust@primarydata.com> wrote:
>>
>> > No. You are not supposed to be able to work around security issues,
>> > and it is indeed a security issue when a client gets a reply from an
>> > IP address that it does not recognise as being the same as the one it
>> > sent an RPC to.
>>
>> "Working around" security issues is a rather common and accepted
>> practice when there are mitigating controls in place.  It's never a
>> black and white world.
>>
>
>
> The attached patch was able to work around the issue for us until we can get
> the filers working in a more expected manner.  I'm sending it along in case
> anyone else can find a use for it, or if you want to apply it in order to
> give people an option for cases like this.

Re-sending since Google Inbox likes to default to HTML e-mail.

Comments

Steve Dickson April 17, 2015, 5:56 p.m. UTC | #1 
On 04/14/2015 03:39 PM, Gregory Boyce wrote:
> On Tue, Apr 14, 2015 at 3:37 PM, Gregory Boyce <gregory.boyce@gmail.com> wrote:
>> On Fri, Apr 10, 2015 at 3:04 PM Gregory Boyce <gregory.boyce@gmail.com>
>> wrote:
>>>
>>> On Fri, Apr 10, 2015 at 2:45 PM, Trond Myklebust
>>> <trond.myklebust@primarydata.com> wrote:
>>>
>>>> No. You are not supposed to be able to work around security issues,
>>>> and it is indeed a security issue when a client gets a reply from an
>>>> IP address that it does not recognise as being the same as the one it
>>>> sent an RPC to.
>>>
>>> "Working around" security issues is a rather common and accepted
>>> practice when there are mitigating controls in place.  It's never a
>>> black and white world.
>>>
>>
>>
>> The attached patch was able to work around the issue for us until we can get
>> the filers working in a more expected manner.  I'm sending it along in case
>> anyone else can find a use for it, or if you want to apply it in order to
>> give people an option for cases like this.
> 
> Re-sending since Google Inbox likes to default to HTML e-mail.
> 
Could you please resend this patch using the proper Sign-off-by,
subject and description formats as describe in 
   https://www.kernel.org/doc/Documentation/SubmittingPatches

steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff -ru nfs-utils-1.2.5.orig/utils/mount/stropts.c nfs-utils-1.2.5/utils/mount/stropts.c
--- nfs-utils-1.2.5.orig/utils/mount/stropts.c	2015-04-13 22:43:20.000000000 +0000
+++ nfs-utils-1.2.5/utils/mount/stropts.c	2015-04-13 22:47:30.000000000 +0000
@@ -497,6 +497,14 @@ 
 	struct pmap mnt_pmap;
 
 	/*
+	 * "norewriteopts" option bypasses the options rewriting
+	 */
+	if (po_contains(options, "norewriteopts") == PO_FOUND) {
+		po_remove_all(options, "norewriteopts");
+		return 1;
+	}
+
+	/*
 	 * Version and transport negotiation is not required
 	 * and does not work for RDMA mounts.
 	 */