[linux] Force mountd to use UDP

zanfur at zanfur.com zanfur at zanfur.com
Thu Dec 2 14:46:08 PST 2004


Michal:

The rpc.mountd daemon registers program 100005 (mountd) with the
portmapper, not 100003 (nfs). this is the daemon that handles the mount
rpc call, but the nfs daemon handles the nfs requests -- so you can have a
tcp mount request that mounts nfs over udp, for example.

To disable nfs over tcp functionality, you need to set CONFIG_NFSD_TCP=N
in the kernel configuration and recompile the module. You will of course
have to set CONFIG_NFSD equal to M or Y for this to work. I recommend
compiling it as a module twice, once with the tcp option turned on and
once with it turned off, so you can choose at a whim which one to load at
any given time.

However, this isn't necessary to stop it from exporting over tcp. The
problem is that portmap is advertising nfs over tcp -- the kernel can
allow it all it wants, but if the rpcinfo call returns just the udp
services, that's all that will get used. There's a trick to unregistering
particular portmap services (blank lines added between commands for
clarity):

# rpcinfo -u localhost 100003
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting

# rpcinfo -t localhost 100003
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting

# pmap_dump
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100005 1 udp 769 mountd
100005 1 tcp 772 mountd
100005 2 udp 769 mountd
100005 2 tcp 772 mountd
100005 3 udp 769 mountd
100005 3 tcp 772 mountd
100024 1 udp 863 status
100024 1 tcp 866 status

# pmap_dump | egrep -v '100003.*tcp' > /tmp/pmap_dump.out

# /etc/init.d/portmap stop

# /etc/init.d/portmap start

# pmap_dump
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper

# pmap_set < /tmp/pmap_dump.out

# pmap_dump
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100005 1 udp 769 mountd
100005 1 tcp 772 mountd
100005 2 udp 769 mountd
100005 2 tcp 772 mountd
100005 3 udp 769 mountd
100005 3 tcp 772 mountd
100024 1 udp 863 status
100024 1 tcp 866 status

# rpcinfo -u localhost 100003
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting

# rpcinfo -t localhost 100003
rpcinfo: RPC: Program not registered
program 100003 is not available

And viola! no more registered nfs over tcp, so no more exports over tcp.
To make it do that at boot, add the key lines of that to rc.local (these
are all you really need, the rest of the above was just information
commands to show the before and after states):

# pmap_dump | egrep -v '100003.*tcp' > /tmp/pmap_dump.out

# /etc/init.d/portmap stop

# /etc/init.d/portmap start

# pmap_set < /tmp/pmap_dump.out

Cheers!
-robin


On Wed, Dec 01, 2004 at 05:54:22PM -0800, Michal wrote:

> I posted this question to comp.protocol.nfs this morning, but things

> are slow there.. so I'm hoping someone here can chime in with a clue.

> Thanks!

>

> ---

>

> My goal is to configure a server to avoid exporting its files over

> TCP. I want to force UDP.

>

> The server is Fedora Core 1, Linux kernel 2.4.22. On this server,

> "/usr/sbin/rpcinfo -p | grep nfs" reports:

>

> 100003 2 udp 2049 nfs

> 100003 3 udp 2049 nfs

> 100003 2 tcp 2049 nfs

> 100003 3 tcp 2049 nfs

>

> I modified the script /etc/init.d/nfs which starts NFS services such

> that rpc.mountd is started with the "--no-tcp" argument. The

> rpc.mountd documentation says this means "Don't advertise TCP for

> mount." Yet, rpcinfo still reports NFS services for both UDP and TCP.

> Mounting its exports on remote systems causes them to be mounted with

> "proto=tcp".

>

> There is another NFS server with an older version of Linux (2.4.18)

> running RedHat 7.3. Running "rpcinfo -p | grep nfs" on it reports:

>

> 100003 2 udp 2049 nfs

> 100003 3 udp 2049 nfs

>

> Mounting its exports on remote systems causes them to be mounted with

> "proto=udp".

>

> I don't know what else to try on the FC1 box to force it to stop

> servicing NFS/TCP services.

>

> Can anyone help?

>

> -Michal


--

Robin Battey
zanfur at zanfur.com

Messages from this address are signed with key 0x6A57B07D. Fingerprint:
3914 F63C A99C 8EC1 785B 8287 1D8B D2F3 6A57 B07D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://mailman13.u.washington.edu/pipermail/linux/attachments/20041202/5f4a022e/attachment.sig>


More information about the Linux mailing list