rpcbind allowed port range on linux

rpcbind allowed port range on linux

[Joachim Banzhaf]

Hi list,

my problem is, rpcbind gave a tcp port to nlockmgr where I assumed
this port is reserved.

Now, I didn't find the spec that says which ports rpcbind is allowed
to use, but I thought it is the ephemeral ports, on linux defined with
the range in kernel configuration net.ipv4.ip_local_reserved_ports
minus exclusions from net.ipv4.ip_local_reserved_ports.

So, my questions are
1) Is my assumption about allowed ports correct?
2) If not: how can I define that range?
3) If yes: was there a fix for that since my rather old SLES 12
version rpcbind-0.2.1_rc4 (kernel 3.12.55)? I didn't find something
obvious to me in the changelog.

Bonus question: would it have been safe/possible to free up the port,
e.g. with rpcbind -d? I only found out about that option after a
reboot...

BR,
Joachim

(please keep me in cc)

Re: rpcbind allowed port range on linux

[NeilBrown]

[-- Attachment #1: Type: text/plain, Size: 1734 bytes --]

On Fri, Dec 02 2016, Joachim Banzhaf wrote:

> Hi list,
>
> my problem is, rpcbind gave a tcp port to nlockmgr where I assumed
> this port is reserved.

That isn't how it works. rpcbind doesn't give ports to anyone.

lockd chooses a port, and asks rpcbind to register it against the
nlockmgr service.
If lockd is choosing a port that you don't want it to, you need to
get lockd to change its behavior.

One way is to explicitly tell lockd what port to use.  The "--nlm-port"
option to rpc.statd can do this.

By default, a number will be chosen from the range given in
  /proc/sys/net/ipv4/ip_local_port_range 

You can change that range, and that will affect all sockets which don't
ask for an explicit port.

NeilBrown


>
> Now, I didn't find the spec that says which ports rpcbind is allowed
> to use, but I thought it is the ephemeral ports, on linux defined with
> the range in kernel configuration net.ipv4.ip_local_reserved_ports
> minus exclusions from net.ipv4.ip_local_reserved_ports.
>
> So, my questions are
> 1) Is my assumption about allowed ports correct?
> 2) If not: how can I define that range?
> 3) If yes: was there a fix for that since my rather old SLES 12
> version rpcbind-0.2.1_rc4 (kernel 3.12.55)? I didn't find something
> obvious to me in the changelog.
>
> Bonus question: would it have been safe/possible to free up the port,
> e.g. with rpcbind -d? I only found out about that option after a
> reboot...
>
> BR,
> Joachim
>
> (please keep me in cc)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: rpcbind allowed port range on linux

[Trond Myklebust]

> On Dec 1, 2016, at 19:14, NeilBrown <neilb@suse.com> wrote:
>=20
> On Fri, Dec 02 2016, Joachim Banzhaf wrote:
>=20
>> Hi list,
>>=20
>> my problem is, rpcbind gave a tcp port to nlockmgr where I assumed
>> this port is reserved.
>=20
> That isn't how it works. rpcbind doesn't give ports to anyone.
>=20
> lockd chooses a port, and asks rpcbind to register it against the
> nlockmgr service.
> If lockd is choosing a port that you don't want it to, you need to
> get lockd to change its behavior.
>=20
> One way is to explicitly tell lockd what port to use.  The "--nlm-port"
> option to rpc.statd can do this.
>=20
> By default, a number will be chosen from the range given in
>  /proc/sys/net/ipv4/ip_local_port_range=20
>=20
> You can change that range, and that will affect all sockets which don't
> ask for an explicit port.

Alternatively, you can just pin the port using the kernel parameters interf=
aces:

http://lxr.free-electrons.com/source/Documentation/kernel-parameters.txt#L2=
036

>=20
> NeilBrown
>=20
>=20
>>=20
>> Now, I didn't find the spec that says which ports rpcbind is allowed
>> to use, but I thought it is the ephemeral ports, on linux defined with
>> the range in kernel configuration net.ipv4.ip_local_reserved_ports
>> minus exclusions from net.ipv4.ip_local_reserved_ports.
>>=20
>> So, my questions are
>> 1) Is my assumption about allowed ports correct?
>> 2) If not: how can I define that range?
>> 3) If yes: was there a fix for that since my rather old SLES 12
>> version rpcbind-0.2.1_rc4 (kernel 3.12.55)? I didn't find something
>> obvious to me in the changelog.
>>=20
>> Bonus question: would it have been safe/possible to free up the port,
>> e.g. with rpcbind -d? I only found out about that option after a
>> reboot...
>>=20
>> BR,
>> Joachim
>>=20
>> (please keep me in cc)
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: rpcbind allowed port range on linux

[Joachim Banzhaf]

Hi Neil and Trond, thanks for the infos. Already helped a lot.

My primary goal is not to pin lockd to a specific port.
I want to prevent any ip service that does not ask for a specific port
to use ports I know are needed later for something else.

I thought, the mechanism is (sorry, had a cut&paste error here) by
defining range /proc/sys/net/ipv4/ip_local_port_range minus ports or
ranges in /proc/sys/net/ipv4/ip_local_reserved_ports (as described
here: http://lxr.free-electrons.com/source/Documentation/networking/ip-sysctl.txt#L809).

I wasn't sure, this mechanism is used here, but Neil, you already
confirmed at least part 1, and that is what happened. Just the
exclusion via /proc/sys/net/ipv4/ip_local_reserved_ports has not
worked.
To be specific, the ip_local_port_range is "40000   65299", and
ip_local_reserved_ports includes, among many others, 50000-50628 and
the port to protect but still picked for lockd was 50213.

Unfortunately, choosing another ip_local_port_range outside 50213 is
not possible, because there is no single range left that is big enough
(and there are other ports to protect like this one).

So, either ip_local_reserved_ports is not used (although I think it
should) or it is used but too long (at least sysctl used in SLES 12
has a bug: it cannot display the whole list) or the list is not
defined at the time lockd gets its port (I did not find where this is
defined, it is not in /etc/sysctl.conf, like ip_local_port_range).

BR,
Joachim

Re: rpcbind allowed port range on linux

[Joachim Banzhaf]

mystery solved:

The ip_local_port_range used by rpc services (and others) is set via
/etc/sysctl.conf during boot, and the application that needs ports
from that range sets ip_local_reserved_ports, but later in the boot
process. Too late. I need to solve this there.

Thanks for the support, you put me on the right track.

BR,
Joachim

2016-12-02 9:32 GMT+01:00 Joachim Banzhaf <joachim.banzhaf@googlemail.com>:
> Hi Neil and Trond, thanks for the infos. Already helped a lot.
>
> My primary goal is not to pin lockd to a specific port.
> I want to prevent any ip service that does not ask for a specific port
> to use ports I know are needed later for something else.
>
> I thought, the mechanism is (sorry, had a cut&paste error here) by
> defining range /proc/sys/net/ipv4/ip_local_port_range minus ports or
> ranges in /proc/sys/net/ipv4/ip_local_reserved_ports (as described
> here: http://lxr.free-electrons.com/source/Documentation/networking/ip-sysctl.txt#L809).
>
> I wasn't sure, this mechanism is used here, but Neil, you already
> confirmed at least part 1, and that is what happened. Just the
> exclusion via /proc/sys/net/ipv4/ip_local_reserved_ports has not
> worked.
> To be specific, the ip_local_port_range is "40000   65299", and
> ip_local_reserved_ports includes, among many others, 50000-50628 and
> the port to protect but still picked for lockd was 50213.
>
> Unfortunately, choosing another ip_local_port_range outside 50213 is
> not possible, because there is no single range left that is big enough
> (and there are other ports to protect like this one).
>
> So, either ip_local_reserved_ports is not used (although I think it
> should) or it is used but too long (at least sysctl used in SLES 12
> has a bug: it cannot display the whole list) or the list is not
> defined at the time lockd gets its port (I did not find where this is
> defined, it is not in /etc/sysctl.conf, like ip_local_port_range).
>
> BR,
> Joachim