When attempting to mount a remote file share using NFSv3, portmapper calls use UDP even when TCP is explicitly specified. Using the port= option would be a satisfactory workaround but that doesn't eliminate portmapper calls. Expected behavior: TCP explicitly specified means TCP everywhere. Repro: 1. Start tcpdump with capture filter "port 111". 2. Attempt to mount an NFS share with proto=tcp. 3. The tcpdump contains UDP traffic to the remote portmapper when TCP is expected. 4. Block outgoing UDP/111 from the client. (I guess this one's not strictly necessary.) 5. Repeat #2 but add port=2049 to the mount options. 6. The tcpdump contains a successful NULL call but the client immediately tried contacting the portmapper on UDP to get the mount port. This prevents using Azure Blob Storage NFS, and I suspect there are some bad and hard-to-get-fixed firewall configurations out there since Linux's behavior is to use TCP for portmapper in this case.
Well, here's what the code in rpcb_getaddr(), found in lib/libc/rpc/rpcb_clnt.c looks like: /* * Try UDP only - there are some portmappers out * there that use UDP only. */ if (strcmp(nconf->nc_proto, NC_TCP) == 0) { struct netconfig *newnconf; if ((newnconf = getnetconfigent("udp")) == NULL) { rpc_createerr.cf_stat = RPC_UNKNOWNPROTO; return (NULL); } client = getclnthandle(host, newnconf, &parms.r_addr); freenetconfigent(newnconf); } else { client = getclnthandle(host, nconf, &parms.r_addr); } Pretty obvious why it uses UDP. Now, this code is only compiled into rpcb_clnt.c when PORTMAP is defined. It is defined in lib/libc/rpc/Makefile.inc. (I suspect taking -DPORTMAP out of this Makefile.inc would make it use TCP, once you rebuild libc from the sources and link mount_nfs to that.) I may try this, but I do not have an easy way to do so, since my systems are old laptops with very little storage (ok for building a kernel, but not for "make buildworld", etc). Then the problem is that this change affects everyone. I do not see a way to only enable it based on a new mount option. So what happens if this breaks a mount for someone else? That would be a POLA violation, since the code has been like this for decades, I suspect? It would be best for you to patch this for youyr local systems, although I will ask on the freebsd-fs@ mailing list, to see what others think of making this change?
Created attachment 237626 [details] Modify rpcb_getaddr() so that it might use TCP for the Portmapper This patch comments out the code in rpcb_getaddr() that forces use of UDP. Although not yet tested, I believe this will make the function use TCP if the nconf argument specifies TCP. (I am working on getting a build done to test this.) I did this instead of deleting -DPORTMAP from Makefile.inc because Linux still uses Portmapper Version 2 protocol and deleting -DPORTMAP would disable Version 2. As such, this patch results in less change and, therefore, less likelyhood of causing a POLA violation. Hopefully the reporter can test this for the Azure mount case?
I just tested the patch in the attachment and the portmapper calls were done over TCP. (The build only took 36.5hrs.) I am now waiting for feedback w.r.t. whether or not this can go into the repo. (The RFC email request is on freebsd-fs@. If I don't get any responses, I'll try posting it on freebsd-current@.)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=032b04626b671ec16deacd479569998b96c96142 commit 032b04626b671ec16deacd479569998b96c96142 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2022-11-13 20:16:06 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2022-11-13 20:16:06 +0000 rpcb_clnt.c: Do not force use of UDP Without this patch, the code in the rpcbind client forces the use of UDP. A comment notes that some rpcbind servers only support UDP. This makes NFSv3 mounts to Azure servers impossible, since they require use of TCP for rpcbind. Since the comment is very old (imported from NetBSD in 2001) and I do not believe any UDP only rpcbind servers will still exist, this patch comments out the code that forces use of UDP, so that NFSv3 mounts to Azure servers can work. For an NFSv3 mount, the "udp" mount option will still make mount_nfs use UDP for rpcbind so that can be used as a workaround for any old NFSv3 server that only supports rpcbind over UDP (if any such server still exists). I asked if doing this change is appropriate on freebsd-fs@ and I only got one reply (off list) that supported doing the change. PR: 267301 MFC after: 1 month lib/libc/rpc/rpcb_clnt.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)
The patch has been committed to main and will be MFC'd in one month to stable/13 (in time for 13.2). I would still like to hear from the reporter w.r.t. this patch allowing Azure NFSv3 mounts to work, since I have no way to test against Azure servers. Use of the "udp" NFS mount option can be used as a workaround, for anyone who has a NFSv3 server where the rpcbind server will only handle UDP.
Sorry for the delayed response. I just tried your patch in 13.1-RELEASE-p3 and it works as expected.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a3c07a933d5cb71a6d58cc9f0ecb5385a5e0ea29 commit a3c07a933d5cb71a6d58cc9f0ecb5385a5e0ea29 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2022-11-13 20:16:06 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2022-12-16 21:23:49 +0000 rpcb_clnt.c: Do not force use of UDP Without this patch, the code in the rpcbind client forces the use of UDP. A comment notes that some rpcbind servers only support UDP. This makes NFSv3 mounts to Azure servers impossible, since they require use of TCP for rpcbind. Since the comment is very old (imported from NetBSD in 2001) and I do not believe any UDP only rpcbind servers will still exist, this patch comments out the code that forces use of UDP, so that NFSv3 mounts to Azure servers can work. For an NFSv3 mount, the "udp" mount option will still make mount_nfs use UDP for rpcbind so that can be used as a workaround for any old NFSv3 server that only supports rpcbind over UDP (if any such server still exists). I asked if doing this change is appropriate on freebsd-fs@ and I only got one reply (off list) that supported doing the change. PR: 267301 (cherry picked from commit 032b04626b671ec16deacd479569998b96c96142) lib/libc/rpc/rpcb_clnt.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)
Patch has been committed and MFC'd.