0

I have an openbsd server sharing directories through NFS protocol. After I installed a new version of ubuntu on the client, I still mount NFS directories however after a (random) time: nautilus, ls command, and so on, froze completely. I cannot access my filesystem until I unmount the NFS directory.

I look for information but nothing help me.

My server run pf (without scrub), I use NFSv3 on both side, rpcinfo and so on works fine. For information my network communicate via wireguard.

Somebody could give me an indication on what or where to look for?

Thanks.

UPDATE

I think I identified the problem. At some point, client send a packet with flag F to server (tcpdump results) :

12:16:45.022393 192.168.100.2.998 > 192.168.100.1.2049: F 141:141(0) ack 117 win 1284 <nop,nop,timestamp 3929122361 2338823414> (DF)

and get stuck because the following packets are :

12:16:45.022470 192.168.100.1.2049 > 192.168.100.2.998: . ack 142 win 1030 <nop,nop,timestamp 2338823422 3929122361>
12:17:45.187125 192.168.100.2.998 > 192.168.100.1.2049: . ack 117 win 1284 <nop,nop,timestamp 3929182521 2338823422> (DF)
12:17:45.187153 192.168.100.1.2049 > 192.168.100.2.998: . ack 142 win 1030 <nop,nop,timestamp 2338823542 3929182521>
12:18:45.849519 192.168.100.2.998 > 192.168.100.1.2049: . ack 117 win 1284 <nop,nop,timestamp 3929243193 2338823542> (DF)
12:18:45.849548 192.168.100.1.2049 > 192.168.100.2.998: . ack 142 win 1030 <nop,nop,timestamp 2338823664 3929243193>
12:19:47.294335 192.168.100.2.998 > 192.168.100.1.2049: . ack 117 win 1284 <nop,nop,timestamp 3929304637 2338823664> (DF)
12:19:47.294359 192.168.100.1.2049 > 192.168.100.2.998: . ack 142 win 1030 <nop,nop,timestamp 2338823786 3929304637>

such lines appears indefinitely...

In fact the connection stays in FIN_WAIT_2. On client :

client$ netstat -an | grep 2049
tcp        0      0 192.168.100.2:998       192.168.100.1:2049      FIN_WAIT2

and on server :

vps$ doas pfctl -s states | grep 2049 
all tcp 192.168.100.1:2049 <- 192.168.100.2:998       ESTABLISHED:FIN_WAIT_2
Improve this question
3
  • So if you suspect it's due to an inactivity timeout with a firewall, you can consider adding specific allowing rules everywhere until you pinpoint the cause. NFSv3 requires an ALG to be handled properly (see a Linux kernel-assisted userspace ALG reference there for NFSv3: conntrack-tools.netfilter.org/manual.html#helpers). NFSv4 doesn't use complex port reservations related to rpcinfo and would probably behave better. As I don't know much about pf, that's all I can say. Commented Feb 19, 2023 at 13:06
  • Openbsd only support NFs 2 & 3 so I cannot use v4. I don't think the firewall is really causing the problem because I have an other NFS server under ubuntu in the vlan, which works fine, and traffic pass through the openbsd server (a vps). Thanks for your contribution. Commented Feb 19, 2023 at 18:50
  • Some insights with tcpdump. At some point the client send a TCP packet with flag F. and communication get stuck with : 21:38:13.981167 192.168.100.2.933 > 192.168.100.1.2049: F 10065:10065(0) ack 8641 win 2072 <nop,nop,timestamp 1606446556 2656181485> (DF) 21:38:13.981242 192.168.100.1.2049 > 192.168.100.2.933: . ack 10066 win 1030 <nop,nop,timestamp 2656181608 1606446556> (DF) 21:38:13.981266 192.168.100.2.933 > 192.168.100.1.2049: . ack 8641 win 2072 <nop,nop,timestamp 1606446556 2656181485> (DF) Last lines are repeated with same ack/win number Commented Feb 19, 2023 at 21:03

1 Answer 1

Reset to default
1

Checking if pf is blocking something is easy: just add log to (all?) block rules and use tcpdump -neti pflog0 to see what comes up.

Next, make sure all NFS-related ports on the server (rpcinfo -p gives you the list) are accessible from the client (e.g. nc -z <server_ip> 2049).

Third, make sure Linux uses the same protocol as the server (OpenBSD uses UDP by default, but this can be changed by adding the -t flag when running nfsd*) and on reserved ports (i.e. <1024), which I don't think it does by default.

My case

I am succesfully using NFS between an OpenBSD server and a Linux client (Debian 11.6), over a firewall, using the following settings on the client:

/etc/auto.master:

+auto.master
/nfs    /etc/auto.nfs

/etc/auto.nfs:

music    -fstype=nfs,vers=3,rw,soft,rsize=32768,wsize=32768,noatime,timeo=1200,retrans=10,proto=tcp,resvport,nolock,noacl 10.17.18.10:/shared/media/music

On the firewall, I have pass rules for all the tcp and udp ports the server listens on, as listed by rpcinfo -p.

Improve this answer
5
  • Thanks Zé! I will try this soon. I have Ubuntu 22.04. What I am surprised is, I added a freebsd on my vlan and everything works fine. I have no special rules in pf that disguinguishes the ubuntu/freebsd clients because all my rules are about ip family. Commented Feb 28, 2023 at 20:25
  • 1
    Again, I put my money either on TCP vs UDP, or on the reserved ports. There's a long-ish explanation about both at the linux nfs man page if you're interested. I'm sure that OpenBSD serves in reserved ports and uses UDP by default, although this can be changed by adding -t to the nfsdoptions. Commented Mar 1, 2023 at 8:44
  • Thanks again! I follow yours indications. My client communicates (via reserved port) with server port 2049. But at some point, maybe when system froze (it is random) my pf rules bock packets from server port 2049 to client port 56796, then 815, 51542, etc. It seems the server tries to send packets to strange ports that are not the one open on the client to communicate with it. My pf rules with match to the block packet is block return on wg0 all. While I have: pass on wg0 inet from vlan to vlan flags S/SA. Commented Mar 4, 2023 at 11:26
  • As you said, the client try to communicate on non-privileged ports after after a while, however initially he used privileged port. It is strange because resvport is the default! Commented Mar 4, 2023 at 12:28
  • Well, I disebled pf, add only one rule: match log (all, to pflog0) from any to any. I used your nfs mount options. And still after a while the system froze however nothing "stranged" has been logged (privileged port used and tcp). I am lost. Commented Mar 4, 2023 at 21:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.