Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

NFS hang after restarting IP tables

  • 27-09-2006 10:58am
    #1
    Registered Users, Registered Users 2 Posts: 101 ✭✭


    With iptables already started, I NFS mount a filesystem using the "proto=tcp" option on, say, "/mnt". I can do a "ls /mnt" with no problem.

    Now, if I restart iptables, my "ls /mnt" will hang for a good long while and eventually time out.

    >From the tcpdump output, you can see that the NFS client "njxcsup7nh" is communication on port 800 with the NFS server "kurby".

    The packet exchange seems to be going fine until, suddenly, the NFS client "njxcsup7nh" decides he is no longer accepting packets to port 800 and sends back an "unreachable - admin prohibited" packet to the NFS server "kurby".

    14:06:35.072687 IP njxcsup7nh.companyname.com.800 > kurby.companyname.com.nfs: P 4196:4328(132) ack 3721 win 18 <nop,nop,timestamp 775808219 2529886660>
    14:06:35.072841 IP kurby.companyname.com.nfs >
    njxcsup7nh.companyname.com.800: . ack 4328 win 9756
    <nop,nop,timestamp 2529886861 775808219,nop,nop,sack
    sack 1 {4196:4328} >
    14:06:35.072857 IP njxcsup7nh.companyname.com > kurby.companyname.com: icmp 72: host njxcsup7nh.companyname.com unreachable – admin prohibited

    After the "ls /mnt" times out, subsequent "ls /mnt" are successful. That is, unless I restart iptables again.

    As a side note, when I only had one file in "/mnt" I didn't get the hang. So I copied files under "/etc" to "/mnt" and then I get the hang. I have observed
    that the "unreachable - admin prohibited" message occurs randomly during the packet exchange between the NFS client and the NFS server. That is, sometimes
    tcpdump shows more packets being exchanged and sometimes it shows less packets being exchanged before the rejection occurs.

    This problem does not occur if the "proto=udp" option is used with NFS. This problem has been observed on Red Hat AS 3 as well as Red Hat AS 4.

    Would anyone be able provide even a guess as to why the NFS client "njxcsup7nh" started to reject packets to port 800 after it had been happily accepting them?

    Thank you.


Comments

  • Registered Users, Registered Users 2 Posts: 2,755 ✭✭✭niallb


    Hi,
    nfs can throw up some odd ones alright.

    Are you talking about rerunning iptables on the client or the server?
    What happens if you restart portmapper after rerunning iptables ?
    /etc/init.d/portmap (in AS3 anyway).

    Without knowing what's in the iptables ruleset, it's hard to see.
    Could you post a bit of `iptables-save` ?
    How about the output of `rpcinfo -p | grep nfs`
    'nfsstat' may also be useful to you.
    Which version of nfs are you using?

    What OS/distribution/kernel version is "njxcsup7nh" using?
    Is it the RHAS or are both itself and the server running RHAS?

    Questions before answers I know, but I'm interested,
    and I have a few AS3 machines around that I'd like to make
    sure this doesn't happen with. :-)

    NiallB


  • Registered Users, Registered Users 2 Posts: 101 ✭✭ollielaroo


    Hi naillB,

    I have to apollogise for not getting back to you.
    You see I have since left that job I was working in and I'm not on boards.ie very often.

    I was quite junior in that job (Linux clusters) and felt out of my debt in it too.
    Your reply gives me the impression that you seemed very interested and keen to help with my query (which I never had a chance to resolve anyway).

    I just wanted to say thanks for your time.

    ollielaroo


Advertisement