From patchwork Tue Apr 14 19:39:45 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gregory Boyce <gregory.boyce@gmail.com>
X-Patchwork-Id: 6217551
Return-Path: <linux-nfs-owner@kernel.org>
X-Original-To: patchwork-linux-nfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 27DA89F313
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Tue, 14 Apr 2015 19:39:49 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 85E3C201F4
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Tue, 14 Apr 2015 19:39:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id CF2B6201D3
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Tue, 14 Apr 2015 19:39:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754136AbbDNTjq (ORCPT
	<rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
	Tue, 14 Apr 2015 15:39:46 -0400
Received: from mail-ig0-f180.google.com ([209.85.213.180]:38048 "EHLO
	mail-ig0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754134AbbDNTjp (ORCPT
	<rfc822; linux-nfs@vger.kernel.org>); Tue, 14 Apr 2015 15:39:45 -0400
Received: by igbqf9 with SMTP id qf9so23900938igb.1
	for <linux-nfs@vger.kernel.org>; Tue, 14 Apr 2015 12:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=NKqUJWtUu6nhEJMJvQkeD6Oac9ET5wkncJ07dLS6lxs=;
	b=cLdETF+mkGTxUNwG1wCO93PNynIYQFQUUM0Htgm/XnuqhuR5ehBJCklbiwmrTTmAeF
	huap23+LTExUTv6Ea0cKtzFJUJB6WqEFfUTXQSOWAHv9zfXrbVfa+It57TnD6T0IsArn
	5SJ0oSNt1Wn/Kdiw+2ETqTKc3NP8rJhsmbs2Y//h+5u8HzerAL/GRgYQutzQdlH6+e55
	43++TIJDUEP0hYHf3I8OyPocNVTxP1n6QPDXWLAgYB1XnXypBJeqLJQbVf2WOW4/hNTN
	FRGswStdBhVX81StvSn9W7KacPg8Ly+yEKRoo6Md+iCDdgsTd5Gggxuocwcq5ubbcyJh
	tpIQ==
MIME-Version: 1.0
X-Received: by 10.50.143.106 with SMTP id sd10mr26391893igb.17.1429040385349;
	Tue, 14 Apr 2015 12:39:45 -0700 (PDT)
Received: by 10.36.7.16 with HTTP; Tue, 14 Apr 2015 12:39:45 -0700 (PDT)
In-Reply-To: 
 <CALs61ue2HBxv6bJrGFoDj43vaYc_Jxf4-RJJ-vRBy9j2wn+tXA@mail.gmail.com>
References: 
 <CALs61ueTJ4_WT00Sqz5TKzhkbrS32UjcQ0zVw6B8ikahE4Rhcw@mail.gmail.com>
	<CAHQdGtSbn643SVAZ2Y_VzxmS_b-9=+pqPGWGoHtt25hpHpygLw@mail.gmail.com>
	<CALs61uewbb28BcZ=d_qaYWtvUt5-xLGkn1uMXWhpjb_38f8ZtQ@mail.gmail.com>
	<CAHQdGtSZcNj40YFYbKVL7M5ZtBgD278e6ifqM1hpb6BadU4j5A@mail.gmail.com>
	<CALs61udukSrCsDYTyohSQdwbtcvvW672=+Qyit56iTE3qViSSw@mail.gmail.com>
	<CALs61ue2HBxv6bJrGFoDj43vaYc_Jxf4-RJJ-vRBy9j2wn+tXA@mail.gmail.com>
Date: Tue, 14 Apr 2015 15:39:45 -0400
Message-ID: 
 <CALs61ucnKU5J8NJ-unJNsYw_zsPb+_aYbLqndc0yEbtirixqhw@mail.gmail.com>
Subject: Re: Problems mounting via UDP from a netapp with multiple interfaces
From: Gregory Boyce <gregory.boyce@gmail.com>
To: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID,
	T_RP_MATCHES_RCVD,
	T_TVD_MIME_EPI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Tue, Apr 14, 2015 at 3:37 PM, Gregory Boyce <gregory.boyce@gmail.com> wrote:
> On Fri, Apr 10, 2015 at 3:04 PM Gregory Boyce <gregory.boyce@gmail.com>
> wrote:
>>
>> On Fri, Apr 10, 2015 at 2:45 PM, Trond Myklebust
>> <trond.myklebust@primarydata.com> wrote:
>>
>> > No. You are not supposed to be able to work around security issues,
>> > and it is indeed a security issue when a client gets a reply from an
>> > IP address that it does not recognise as being the same as the one it
>> > sent an RPC to.
>>
>> "Working around" security issues is a rather common and accepted
>> practice when there are mitigating controls in place.  It's never a
>> black and white world.
>>
>
>
> The attached patch was able to work around the issue for us until we can get
> the filers working in a more expected manner.  I'm sending it along in case
> anyone else can find a use for it, or if you want to apply it in order to
> give people an option for cases like this.

Re-sending since Google Inbox likes to default to HTML e-mail.

diff -ru nfs-utils-1.2.5.orig/utils/mount/stropts.c nfs-utils-1.2.5/utils/mount/stropts.c
--- nfs-utils-1.2.5.orig/utils/mount/stropts.c	2015-04-13 22:43:20.000000000 +0000
+++ nfs-utils-1.2.5/utils/mount/stropts.c	2015-04-13 22:47:30.000000000 +0000
@@ -497,6 +497,14 @@
 	struct pmap mnt_pmap;
 
 	/*
+	 * "norewriteopts" option bypasses the options rewriting
+	 */
+	if (po_contains(options, "norewriteopts") == PO_FOUND) {
+		po_remove_all(options, "norewriteopts");
+		return 1;
+	}
+
+	/*
 	 * Version and transport negotiation is not required
 	 * and does not work for RDMA mounts.
 	 */