Bug #13846
open
nfs export to IPv6 and IPv4 fails with wrong error message, share_nfs(1M) manpage update requested
0%
Description
I have a new file server with two interfaces. aggr0 has both IPv4 and IPv6 addresses on it 140.XXX.YYY.ZZZ & 2607:AAAA:BBBB:CCCC:0:DDDD:0:EEEE (referenced below as sharing to 140.XXX.YYY.0/24 and 2607:AAAA:BBBB:CCCC::/64). nas_aggr0 has just an IPv4 address (10.XX.YY.ZZ/24).
The host has OmniOS 151038. I set up and exported a filesystem to nas_aggr0 (@10.XX.YY.0/24) but made an error and tried to mount it via aggr0. Instead of getting the expected mount denied error I got an error about "invalid access list entry: 10.XX.YY.0/24". After correcting the mount to go via nas_aggr0 (which had no problems) I did some testing and found that the 'invlaid access list' error was fairly common where it shouldn't have been presented. All of the below tests were done on aggr0 since it is the only one with both IPv4 and IPv6. In some cases "access denied" might have made sense, in some there should not have been any error at all - presuming the mixing of IPv4 and IPv6 addresses was correct. Since the share_nfs(1M) manpage doesn't mention that I can't be sure that I was or wasn't doing it right.
All errors noted here were logged in /var/adm/messages on the file server.
- testing exporting just to IPv4 subnet
sudo zfs set sharenfs='rw=@140.XXX.YYY.0/24' pool0/exporttest0
v4 mount: mount success, no error logged
v6 mount: rejected as expected
- testing exporting just to IPv6 subnet
sudo zfs set sharenfs='rw=@[2607:AAAA:BBBB:CCCC::]/64' pool0/exporttest0
v4 mount: rejected as expected
v6 mount: mount success, no error logged
- testing using both IPv6 and IPv4 subnet addresses (in that order)
sudo zfs set sharenfs='rw=@[2607:AAAA:BBBB:CCCC::]/64:@140.XXX.YYY.0/24' pool0/exporttest0
v4 mount: mount fail, error logged:
"invalid access list entry: [2607:4000:200:110::]/64"
v6 mount: mount success, no error logged
- testing using both IPv4 and IPv6 subnet addresses (reverse order)
sudo zfs set sharenfs='rw=140.XXX.YYY.0/24:[2607:AAAA:BBBB:CCCC::]/64' pool0/exporttest0
v4 mount: mount success, no error logged
v6 mount: mount fail, error printed:
"invalid access list entry: 140.XXX.YYY.0/24"
- testing exporting to a specific host's name
sudo zfs set sharenfs='rw=specific.host.dom.ain' pool0/exporttest0
v4 mount: mount success, no error logged
v6 mount: mount success, no error logged
- testing using exporting to that host's specific IP addresses:
sudo zfs set sharenfs='rw=140.XXX.YYY.ZZZ:[2607:AAAA:BBBB:CCCC:0:DDDD:0:EEEE]' pool0/exporttest0
v4 mount: mount success, no error logged
v6 mount: mount fail, error logged:
"invalid access list entry: 140.XXX.YYY.DDD"
Part of this testing was complicated by share_nfs(1M) manpage not even mentioning IPv6. It would be useful to update the access_list network section to address IPv6, as well as mixing IPv4 and IPv6.
Updated by Yuri Pankov about 2 years ago
Does the mount really fail or simply logs the warning message?
OK, looks like what I did in #5868 had good intentions, but was done in rather stupid way -- you can't expect all access entries to be for the incoming connection's family. More so, the checks should be in sharenfs handler or the like and not in inet_matchaddr (which should really move out of libnsl).
Though given all the above, it's still not considered a fatal error for the mount.