Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 May 2003 12:38:12 -0500 (CDT)
From:      Robert Johannes <rjohanne@piper.hamline.edu>
To:        "Crist J. Clark" <cjc@freebsd.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: nfs and ipfw
Message-ID:  <Pine.GSO.4.44.0305011234150.2401-100000@mendeleev.hamline.edu>
In-Reply-To: <20030428211643.GA41761@blossom.cjclark.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I've tried your suggestion, and even added a log option to the frag rule
below, but I don't see anything being denied or dropped from the
nfsclient.  Instead, the frags are accepted, but it is as if the server
doesn't have anything to say back, and so it never says anything back.
Meanwhile, the nfsclient keeps sending the frag traffic to the
server.

I've not tried the tcp option for nfs yet, my main concern being
performance.  I read that performance for tcp nfs is not on per with udp
nfs.

Any other suggestions?

thanks
robert

On Mon, 28 Apr 2003, Crist J. Clark wrote:

> On Sun, Apr 27, 2003 at 08:08:11PM -0500, Robert Johannes wrote:
> [snip]
>
> > I'm using normal ipfw, with the following rules:
> >
> > allow ip from any to any via lo0
> > deny ip from any to 127.0.0.0/8
> > deny ip from 127.0.0.0/8 to any
> > allow tcp from any to any established
> > allow ip from any to any frag
> > allow tcp from any to any setup
> > allow ip from $nfsclient to $fileserver keep-state
> > allow ip from xx.xx.xx.1 to $fileserver keep-state
> > deny ip from any to any
> >
> >
> > The router/gateway is at xx.xx.xx.254.  I'm able to mount the filesystems
> > from the $fileserver, but I'm not able to write a substantial amount of
> > data to the filesystems; I can create a file by 'touching' one on the nfs
> > filesyste, but I can't copy a big file onto the filesystem.  I have
> > successfully copied a file as big as the /etc/hosts files (a few bytes).
> > >From watching tcpdump, it seems that any time there's significant i/o on
> > the nfs filesystem, the fileserver stops responding, and I note the
> > following lines repeated perhaps a hundred or more times:
> >
> > 15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560)
> > 15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+)
> > 15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+)
> > 15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+)
> > 15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+)
> > 15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+)
> > 15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+)
> > 15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+)
> > 15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+)
> >
> > At this point I get an "nfs: server $nfsserver not responding, timed out"
> > message logged on the nfsclient.
> >
> > I'm pretty sure it has to do with my ipfw configuration, but I can't
> > pinpoint the problem.  Any ideas?
>
> It looks like those fragments should be passing the 'frag' rule. Check
> if those fragments are really being dropped. Turn on logging in the
> last 'deny' rule to see for sure. If that's not it, the log might give
> you a clue as to what the problem really is anyway.
>
> The possible way around this is to do NFS over TCP which won't
> generate the hella-huge UDP packets.
> --
> Crist J. Clark                     |     cjclark@alum.mit.edu
>                                    |     cjclark@jhu.edu
> http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0305011234150.2401-100000>