[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <212D08D7-AC22-4857-837A-E72B0A11E8DE@oracle.com>
Date: Tue, 10 Nov 2009 16:34:45 -0500
From: Chuck Lever <chuck.lever@...cle.com>
To: Ben Hutchings <bhutchings@...arflare.com>
Cc: Chris Friesen <cfriesen@...tel.com>,
Trond Myklebust <trond.myklebust@....uio.no>,
netdev@...r.kernel.org, Linux kernel <linux-kernel@...r.kernel.org>
Subject: Re: sunrpc port allocation and IANA reserved list
On Nov 10, 2009, at 4:32 PM, Ben Hutchings wrote:
> On Tue, 2009-11-10 at 15:06 -0600, Chris Friesen wrote:
>> On 11/10/2009 02:26 PM, Trond Myklebust wrote:
>>> On Tue, 2009-11-10 at 12:37 -0600, Chris Friesen wrote:
>>>> On 11/10/2009 11:53 AM, Ben Hutchings wrote:
>>>>> On Tue, 2009-11-10 at 11:43 -0600, Chris Friesen wrote:
>>>>
>>>>>> Given that a userspace application can be stopped and restarted
>>>>>> at any
>>>>>> time, and a sunrpc registration can happen at any time, what is
>>>>>> the
>>>>>> expected mechanism to prevent the kernel from allocating a port
>>>>>> for use
>>>>>> by sunrpc that reserved or well-known?
>>>>>>
>>>>>> Apparently Redhat and Debian have distro-specific ways of
>>>>>> dealing with
>>>>>> this, but is there a standard solution? Should there be?
>>>>>>
>>>>>> The current setup seems suboptimal.
>>>>>
>>>>> I believe both RH and Debian are using the same implementation:
>>>>> <http://cyberelk.net/tim/software/portreserve/>.
>>>>
>>>> That helps with the startup case, but still leaves a possible
>>>> hole if an
>>>> app using a fixed port number is restarted at runtime. During the
>>>> window where nobody is bound to the port, the kernel could randomly
>>>> assign it to someone else.
>>>
>>> Just use /proc/sys/sunrpc/{max,min}_resvport interface to restrict
>>> the
>>> range used to a safer one. That's what it is for...
>
> Unless I'm much mistaken, that only affects in-kernel SunRPC users.
>
>> What constitutes a "safer range"? IANA has ports assigned
>> intermittently all the way through the default RPC range. The
>> largest
>> unassigned range is 922-988 (since 921 is used by lwresd). If
>> someone
>> needs more than 66 ports, how are they supposed to handle it?
>
> I'm sure we could afford 128 bytes for a blacklist of privileged
> ports.
> However, the problem is that there is no API for userland to request
> 'any free privileged port' - it has to just try binding to different
> ports until it finds one available.
bindresvport(3) and bindresvport_sa(3t) ?
> This means that the kernel can't
> tell whether a process is trying to allocate a specifically assigned
> port or whether the blacklist should be applied.
Such a blacklist would have to be managed by glibc or libtirpc.
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists