diff mbox series

nfs-utils: add priority option to override the precedence order of client exports

Message ID CAK3fRr9swwYJKGHMtUsfj0+hnuQLuiKUfsxOsoYuaa6vUb91Nw@mail.gmail.com (mailing list archive)
State New, archived
Headers show
Series nfs-utils: add priority option to override the precedence order of client exports | expand

Commit Message

James Pearson May 20, 2024, 1:32 p.m. UTC
Patch to override/manage the order of client specification exports
matches via the use of a priority option

The current client precedence match order is fixed, e.g. an IP subnet
match will be used before a wildcard match, but with this patch the
wildcard match can be given a higher priority (positive integer) value
and will be matched before the subnet match

Signed-off-by: James Pearson <jcpearson@gmail.com>
---
 support/export/auth.c      |  8 ++++++--
 support/export/cache.c     | 14 ++++++++++++++
 support/include/nfslib.h   |  1 +
 support/nfs/exports.c      | 12 ++++++++++++
 utils/exportfs/exportfs.c  |  2 ++
 utils/exportfs/exports.man | 19 ++++++++++++++++++-
 6 files changed, 53 insertions(+), 3 deletions(-)

 .SS User ID Mapping
--
2.40.0

Comments

Steve Dickson June 17, 2024, 8:28 p.m. UTC | #1
Hello,

Sorry for the delay.

On 5/20/24 8:32 AM, James Pearson wrote:
> Patch to override/manage the order of client specification exports
> matches via the use of a priority option
> 
> The current client precedence match order is fixed, e.g. an IP subnet
> match will be used before a wildcard match, but with this patch the
> wildcard match can be given a higher priority (positive integer) value
> and will be matched before the subnet match
I can not get this patch to apply I'm getting
$ patch -p1  < /tmp/patch.diff
checking file support/export/auth.c
Hunk #1 FAILED at 175.
Hunk #2 FAILED at 189.
patch: **** malformed patch at line 49: found->m_export.e_priority)
And nothing is applied.

Now it is a pretty large patch and does change exporting in a
major way.. So I'm not comfortable trying to piece-meal
that patch together, since it would invalid all your testing. ;-)

Could you please use the "git format-patch" command to
reformat the patch... and/or break it up into a
number of patches, again using that command.

tia,


steved
> 
> Signed-off-by: James Pearson <jcpearson@gmail.com>
> ---
>   support/export/auth.c      |  8 ++++++--
>   support/export/cache.c     | 14 ++++++++++++++
>   support/include/nfslib.h   |  1 +
>   support/nfs/exports.c      | 12 ++++++++++++
>   utils/exportfs/exportfs.c  |  2 ++
>   utils/exportfs/exports.man | 19 ++++++++++++++++++-
>   6 files changed, 53 insertions(+), 3 deletions(-)
> 
> diff --git a/support/export/auth.c b/support/export/auth.c
> index 2d7960f1..3d9e07b5 100644
> --- a/support/export/auth.c
> +++ b/support/export/auth.c
> @@ -175,7 +175,7 @@ auth_authenticate_newcache(const struct sockaddr *caller,
>                             const char *path, struct addrinfo *ai,
>                             enum auth_error *error)
>   {
> -       nfs_export *exp;
> +       nfs_export *exp, *found;
>          int i;
> 
>          free(my_client.m_hostname);
> @@ -189,6 +189,7 @@ auth_authenticate_newcache(const struct sockaddr *caller,
>          my_exp.m_client = &my_client;
> 
>          exp = NULL;
> +       found = NULL;
>          for (i = 0; !exp && i < MCL_MAXTYPES; i++)
>                  for (exp = exportlist[i].p_head; exp; exp = exp->m_next) {
>                          if (strcmp(path, exp->m_export.e_path))
> @@ -198,8 +199,11 @@ auth_authenticate_newcache(const struct sockaddr *caller,
>                          if (exp->m_export.e_flags & NFSEXP_V4ROOT)
>                                  /* not acceptable for v[23] export */
>                                  continue;
> -                       break;
> +                       /* we have a match - see if it is a higher priority */
> +                       if (!found || exp->m_export.e_priority >
> found->m_export.e_priority)
> +                               found = exp;
>                  }
> +       exp = found;
>          *error = not_exported;
>          if (!exp)
>                  return NULL;
> diff --git a/support/export/cache.c b/support/export/cache.c
> index 6c0a44a3..dfb0051b 100644
> --- a/support/export/cache.c
> +++ b/support/export/cache.c
> @@ -877,6 +877,14 @@ static int nfsd_handle_fh(int f, char *bp, int blen)
>                                  xlog(L_WARNING, "%s and %s have same
> filehandle for %s, using first",
>                                       found_path, path, dom);
>                          } else {
> +                               /* same path, see if this one has a
> higher export priority */
> +                               if (exp->m_export.e_priority >
> found->e_priority) {
> +                                       found = &exp->m_export;
> +                                       free(found_path);
> +                                       found_path = strdup(path);
> +                                       if (found_path == NULL)
> +                                               goto out;
> +                               }
>                                  /* same path, if one is V4ROOT, choose
> the other */
>                                  if (found->e_flags & NFSEXP_V4ROOT) {
>                                          found = &exp->m_export;
> @@ -1178,6 +1186,12 @@ lookup_export(char *dom, char *path, struct addrinfo *ai)
>                                  found_type = i;
>                                  continue;
>                          }
> +                       /* see if this one has a higher export priority */
> +                       if (exp->m_export.e_priority >
> found->m_export.e_priority) {
> +                               found = exp;
> +                               found_type = i;
> +                               continue;
> +                       }
>                          /* Always prefer non-V4ROOT exports */
>                          if (exp->m_export.e_flags & NFSEXP_V4ROOT)
>                                  continue;
> diff --git a/support/include/nfslib.h b/support/include/nfslib.h
> index eff2a486..ab22ecaf 100644
> --- a/support/include/nfslib.h
> +++ b/support/include/nfslib.h
> @@ -99,6 +99,7 @@ struct exportent {
>          unsigned int    e_ttl;
>          char *          e_realpath;
>          int             e_reexport;
> +       int             e_priority;
>   };
> 
>   struct rmtabent {
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index a6816e60..afc139db 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -106,6 +106,7 @@ static void init_exportent (struct exportent *ee,
> int fromkernel)
>          ee->e_uuid = NULL;
>          ee->e_ttl = default_ttl;
>          ee->e_reexport = REEXP_NONE;
> +       ee->e_priority = 0;
>   }
> 
>   struct exportent *
> @@ -374,6 +375,9 @@ putexportent(struct exportent *ep)
>                                  fprintf(fp, "%d,", id[i]);
>          }
>          fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid);
> +       if (ep->e_priority) {
> +               fprintf(fp, ",priority=%d", ep->e_priority);
> +       }
>          secinfo_show(fp, ep);
>          xprtsecinfo_show(fp, ep);
>          fprintf(fp, ")\n");
> @@ -834,6 +838,14 @@ bad_option:
>                                  setflags(NFSEXP_FSID, active, ep);
> 
>                          saw_reexport = 1;
> +               } else if (strncmp(opt, "priority=", 9) == 0) {
> +                       char *oe;
> +                       ep->e_priority = strtol(opt+9, &oe, 10);
> +                       if (opt[9]=='\0' || *oe != '\0') {
> +                               xlog(L_ERROR, "%s: %d: bad priority \"%s\"\n",
> +                                    flname, flline, opt);
> +                               goto bad_option;
> +                       }
>                  } else {
>                          xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n",
>                                          flname, flline, opt);
> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
> index b03a047b..5e6a64b6 100644
> --- a/utils/exportfs/exportfs.c
> +++ b/utils/exportfs/exportfs.c
> @@ -753,6 +753,8 @@ dump(int verbose, int export_format)
>                                  break;
>   #endif
>                          }
> +                       if (ep->e_priority)
> +                               c = dumpopt(c, "priority=%d", ep->e_priority);
>                          secinfo_show(stdout, ep);
>                          xprtsecinfo_show(stdout, ep);
>                          printf("%c\n", (c != '(')? ')' : ' ');
> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
> index c14769e5..8b436ad5 100644
> --- a/utils/exportfs/exports.man
> +++ b/utils/exportfs/exports.man
> @@ -100,12 +100,16 @@ entry above) and will match all clients.
>   .\".B \-\-public\-root
>   .\"option. Multiple specifications of a public root will be ignored.
>   .PP
> -If a client matches more than one of the specifications above, then
> +By default, if a client matches more than one of the specifications above, then
>   the first match from the above list order takes precedence - regardless of
>   the order they appear on the export line. However, if a client matches
>   more than one of the same type of specification (e.g. two netgroups),
>   then the first match from the order they appear on the export line takes
>   precedence.
> +.PP
> +The above list order can be overridden/managed via the use of the
> +.IR priority=
> +export option (see below)
>   .SS RPCSEC_GSS security
>   You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
>   to restrict access to clients using rpcsec_gss security.  However, this
> @@ -500,6 +504,19 @@ Don't edit or remove the database unless you know
> exactly what you're doing.
>   is useful when you have used
>   .IR auto-fsidnum
>   before and don't want further entries stored.
> +.TP
> +.IR priority= num
> +This option allows an export to a client specification to override its default
> +mapping order. By default, the precedence order of a match is given in the
> +.BR "Machine Name Formats"
> +section above. For example, an IP network match will take precedence over
> +a wildcard match. To allow the wildcard match to be used instead of the IP
> +network match, a
> +.IR priority
> +of greater than zero is given to the wildcard specification
> +
> +By default, all exports have a priority of zero. Negative priority settings
> +can also be given, which will push the match lower down the precedence order
> 
> 
>   .SS User ID Mapping
> --
> 2.40.0
>
Steve Dickson Nov. 9, 2024, 6:33 p.m. UTC | #2
Hello,

On 6/17/24 3:28 PM, Steve Dickson wrote:
> Hello,
> 
> Sorry for the delay.
> 
> On 5/20/24 8:32 AM, James Pearson wrote:
>> Patch to override/manage the order of client specification exports
>> matches via the use of a priority option
>>
>> The current client precedence match order is fixed, e.g. an IP subnet
>> match will be used before a wildcard match, but with this patch the
>> wildcard match can be given a higher priority (positive integer) value
>> and will be matched before the subnet match
> I can not get this patch to apply I'm getting
> $ patch -p1  < /tmp/patch.diff
> checking file support/export/auth.c
> Hunk #1 FAILED at 175.
> Hunk #2 FAILED at 189.
> patch: **** malformed patch at line 49: found->m_export.e_priority)
> And nothing is applied.
> 
> Now it is a pretty large patch and does change exporting in a
> major way.. So I'm not comfortable trying to piece-meal
> that patch together, since it would invalid all your testing. ;-)
> 
> Could you please use the "git format-patch" command to
> reformat the patch... and/or break it up into a
> number of patches, again using that command.
Are you still interested in get this committed?

It is a fairly large patch so I would like it
to apply cleanly so I can test it.

steved.
> 
> tia,
> 
> 
> steved
>>
>> Signed-off-by: James Pearson <jcpearson@gmail.com>
>> ---
>>   support/export/auth.c      |  8 ++++++--
>>   support/export/cache.c     | 14 ++++++++++++++
>>   support/include/nfslib.h   |  1 +
>>   support/nfs/exports.c      | 12 ++++++++++++
>>   utils/exportfs/exportfs.c  |  2 ++
>>   utils/exportfs/exports.man | 19 ++++++++++++++++++-
>>   6 files changed, 53 insertions(+), 3 deletions(-)
>>
>> diff --git a/support/export/auth.c b/support/export/auth.c
>> index 2d7960f1..3d9e07b5 100644
>> --- a/support/export/auth.c
>> +++ b/support/export/auth.c
>> @@ -175,7 +175,7 @@ auth_authenticate_newcache(const struct sockaddr 
>> *caller,
>>                             const char *path, struct addrinfo *ai,
>>                             enum auth_error *error)
>>   {
>> -       nfs_export *exp;
>> +       nfs_export *exp, *found;
>>          int i;
>>
>>          free(my_client.m_hostname);
>> @@ -189,6 +189,7 @@ auth_authenticate_newcache(const struct sockaddr 
>> *caller,
>>          my_exp.m_client = &my_client;
>>
>>          exp = NULL;
>> +       found = NULL;
>>          for (i = 0; !exp && i < MCL_MAXTYPES; i++)
>>                  for (exp = exportlist[i].p_head; exp; exp = exp- 
>> >m_next) {
>>                          if (strcmp(path, exp->m_export.e_path))
>> @@ -198,8 +199,11 @@ auth_authenticate_newcache(const struct sockaddr 
>> *caller,
>>                          if (exp->m_export.e_flags & NFSEXP_V4ROOT)
>>                                  /* not acceptable for v[23] export */
>>                                  continue;
>> -                       break;
>> +                       /* we have a match - see if it is a higher 
>> priority */
>> +                       if (!found || exp->m_export.e_priority >
>> found->m_export.e_priority)
>> +                               found = exp;
>>                  }
>> +       exp = found;
>>          *error = not_exported;
>>          if (!exp)
>>                  return NULL;
>> diff --git a/support/export/cache.c b/support/export/cache.c
>> index 6c0a44a3..dfb0051b 100644
>> --- a/support/export/cache.c
>> +++ b/support/export/cache.c
>> @@ -877,6 +877,14 @@ static int nfsd_handle_fh(int f, char *bp, int blen)
>>                                  xlog(L_WARNING, "%s and %s have same
>> filehandle for %s, using first",
>>                                       found_path, path, dom);
>>                          } else {
>> +                               /* same path, see if this one has a
>> higher export priority */
>> +                               if (exp->m_export.e_priority >
>> found->e_priority) {
>> +                                       found = &exp->m_export;
>> +                                       free(found_path);
>> +                                       found_path = strdup(path);
>> +                                       if (found_path == NULL)
>> +                                               goto out;
>> +                               }
>>                                  /* same path, if one is V4ROOT, choose
>> the other */
>>                                  if (found->e_flags & NFSEXP_V4ROOT) {
>>                                          found = &exp->m_export;
>> @@ -1178,6 +1186,12 @@ lookup_export(char *dom, char *path, struct 
>> addrinfo *ai)
>>                                  found_type = i;
>>                                  continue;
>>                          }
>> +                       /* see if this one has a higher export 
>> priority */
>> +                       if (exp->m_export.e_priority >
>> found->m_export.e_priority) {
>> +                               found = exp;
>> +                               found_type = i;
>> +                               continue;
>> +                       }
>>                          /* Always prefer non-V4ROOT exports */
>>                          if (exp->m_export.e_flags & NFSEXP_V4ROOT)
>>                                  continue;
>> diff --git a/support/include/nfslib.h b/support/include/nfslib.h
>> index eff2a486..ab22ecaf 100644
>> --- a/support/include/nfslib.h
>> +++ b/support/include/nfslib.h
>> @@ -99,6 +99,7 @@ struct exportent {
>>          unsigned int    e_ttl;
>>          char *          e_realpath;
>>          int             e_reexport;
>> +       int             e_priority;
>>   };
>>
>>   struct rmtabent {
>> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
>> index a6816e60..afc139db 100644
>> --- a/support/nfs/exports.c
>> +++ b/support/nfs/exports.c
>> @@ -106,6 +106,7 @@ static void init_exportent (struct exportent *ee,
>> int fromkernel)
>>          ee->e_uuid = NULL;
>>          ee->e_ttl = default_ttl;
>>          ee->e_reexport = REEXP_NONE;
>> +       ee->e_priority = 0;
>>   }
>>
>>   struct exportent *
>> @@ -374,6 +375,9 @@ putexportent(struct exportent *ep)
>>                                  fprintf(fp, "%d,", id[i]);
>>          }
>>          fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep- 
>> >e_anongid);
>> +       if (ep->e_priority) {
>> +               fprintf(fp, ",priority=%d", ep->e_priority);
>> +       }
>>          secinfo_show(fp, ep);
>>          xprtsecinfo_show(fp, ep);
>>          fprintf(fp, ")\n");
>> @@ -834,6 +838,14 @@ bad_option:
>>                                  setflags(NFSEXP_FSID, active, ep);
>>
>>                          saw_reexport = 1;
>> +               } else if (strncmp(opt, "priority=", 9) == 0) {
>> +                       char *oe;
>> +                       ep->e_priority = strtol(opt+9, &oe, 10);
>> +                       if (opt[9]=='\0' || *oe != '\0') {
>> +                               xlog(L_ERROR, "%s: %d: bad priority 
>> \"%s\"\n",
>> +                                    flname, flline, opt);
>> +                               goto bad_option;
>> +                       }
>>                  } else {
>>                          xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n",
>>                                          flname, flline, opt);
>> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
>> index b03a047b..5e6a64b6 100644
>> --- a/utils/exportfs/exportfs.c
>> +++ b/utils/exportfs/exportfs.c
>> @@ -753,6 +753,8 @@ dump(int verbose, int export_format)
>>                                  break;
>>   #endif
>>                          }
>> +                       if (ep->e_priority)
>> +                               c = dumpopt(c, "priority=%d", ep- 
>> >e_priority);
>>                          secinfo_show(stdout, ep);
>>                          xprtsecinfo_show(stdout, ep);
>>                          printf("%c\n", (c != '(')? ')' : ' ');
>> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
>> index c14769e5..8b436ad5 100644
>> --- a/utils/exportfs/exports.man
>> +++ b/utils/exportfs/exports.man
>> @@ -100,12 +100,16 @@ entry above) and will match all clients.
>>   .\".B \-\-public\-root
>>   .\"option. Multiple specifications of a public root will be ignored.
>>   .PP
>> -If a client matches more than one of the specifications above, then
>> +By default, if a client matches more than one of the specifications 
>> above, then
>>   the first match from the above list order takes precedence - 
>> regardless of
>>   the order they appear on the export line. However, if a client matches
>>   more than one of the same type of specification (e.g. two netgroups),
>>   then the first match from the order they appear on the export line 
>> takes
>>   precedence.
>> +.PP
>> +The above list order can be overridden/managed via the use of the
>> +.IR priority=
>> +export option (see below)
>>   .SS RPCSEC_GSS security
>>   You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
>>   to restrict access to clients using rpcsec_gss security.  However, this
>> @@ -500,6 +504,19 @@ Don't edit or remove the database unless you know
>> exactly what you're doing.
>>   is useful when you have used
>>   .IR auto-fsidnum
>>   before and don't want further entries stored.
>> +.TP
>> +.IR priority= num
>> +This option allows an export to a client specification to override 
>> its default
>> +mapping order. By default, the precedence order of a match is given 
>> in the
>> +.BR "Machine Name Formats"
>> +section above. For example, an IP network match will take precedence 
>> over
>> +a wildcard match. To allow the wildcard match to be used instead of 
>> the IP
>> +network match, a
>> +.IR priority
>> +of greater than zero is given to the wildcard specification
>> +
>> +By default, all exports have a priority of zero. Negative priority 
>> settings
>> +can also be given, which will push the match lower down the 
>> precedence order
>>
>>
>>   .SS User ID Mapping
>> -- 
>> 2.40.0
>>
diff mbox series

Patch

diff --git a/support/export/auth.c b/support/export/auth.c
index 2d7960f1..3d9e07b5 100644
--- a/support/export/auth.c
+++ b/support/export/auth.c
@@ -175,7 +175,7 @@  auth_authenticate_newcache(const struct sockaddr *caller,
                           const char *path, struct addrinfo *ai,
                           enum auth_error *error)
 {
-       nfs_export *exp;
+       nfs_export *exp, *found;
        int i;

        free(my_client.m_hostname);
@@ -189,6 +189,7 @@  auth_authenticate_newcache(const struct sockaddr *caller,
        my_exp.m_client = &my_client;

        exp = NULL;
+       found = NULL;
        for (i = 0; !exp && i < MCL_MAXTYPES; i++)
                for (exp = exportlist[i].p_head; exp; exp = exp->m_next) {
                        if (strcmp(path, exp->m_export.e_path))
@@ -198,8 +199,11 @@  auth_authenticate_newcache(const struct sockaddr *caller,
                        if (exp->m_export.e_flags & NFSEXP_V4ROOT)
                                /* not acceptable for v[23] export */
                                continue;
-                       break;
+                       /* we have a match - see if it is a higher priority */
+                       if (!found || exp->m_export.e_priority >
found->m_export.e_priority)
+                               found = exp;
                }
+       exp = found;
        *error = not_exported;
        if (!exp)
                return NULL;
diff --git a/support/export/cache.c b/support/export/cache.c
index 6c0a44a3..dfb0051b 100644
--- a/support/export/cache.c
+++ b/support/export/cache.c
@@ -877,6 +877,14 @@  static int nfsd_handle_fh(int f, char *bp, int blen)
                                xlog(L_WARNING, "%s and %s have same
filehandle for %s, using first",
                                     found_path, path, dom);
                        } else {
+                               /* same path, see if this one has a
higher export priority */
+                               if (exp->m_export.e_priority >
found->e_priority) {
+                                       found = &exp->m_export;
+                                       free(found_path);
+                                       found_path = strdup(path);
+                                       if (found_path == NULL)
+                                               goto out;
+                               }
                                /* same path, if one is V4ROOT, choose
the other */
                                if (found->e_flags & NFSEXP_V4ROOT) {
                                        found = &exp->m_export;
@@ -1178,6 +1186,12 @@  lookup_export(char *dom, char *path, struct addrinfo *ai)
                                found_type = i;
                                continue;
                        }
+                       /* see if this one has a higher export priority */
+                       if (exp->m_export.e_priority >
found->m_export.e_priority) {
+                               found = exp;
+                               found_type = i;
+                               continue;
+                       }
                        /* Always prefer non-V4ROOT exports */
                        if (exp->m_export.e_flags & NFSEXP_V4ROOT)
                                continue;
diff --git a/support/include/nfslib.h b/support/include/nfslib.h
index eff2a486..ab22ecaf 100644
--- a/support/include/nfslib.h
+++ b/support/include/nfslib.h
@@ -99,6 +99,7 @@  struct exportent {
        unsigned int    e_ttl;
        char *          e_realpath;
        int             e_reexport;
+       int             e_priority;
 };

 struct rmtabent {
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index a6816e60..afc139db 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -106,6 +106,7 @@  static void init_exportent (struct exportent *ee,
int fromkernel)
        ee->e_uuid = NULL;
        ee->e_ttl = default_ttl;
        ee->e_reexport = REEXP_NONE;
+       ee->e_priority = 0;
 }

 struct exportent *
@@ -374,6 +375,9 @@  putexportent(struct exportent *ep)
                                fprintf(fp, "%d,", id[i]);
        }
        fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid);
+       if (ep->e_priority) {
+               fprintf(fp, ",priority=%d", ep->e_priority);
+       }
        secinfo_show(fp, ep);
        xprtsecinfo_show(fp, ep);
        fprintf(fp, ")\n");
@@ -834,6 +838,14 @@  bad_option:
                                setflags(NFSEXP_FSID, active, ep);

                        saw_reexport = 1;
+               } else if (strncmp(opt, "priority=", 9) == 0) {
+                       char *oe;
+                       ep->e_priority = strtol(opt+9, &oe, 10);
+                       if (opt[9]=='\0' || *oe != '\0') {
+                               xlog(L_ERROR, "%s: %d: bad priority \"%s\"\n",
+                                    flname, flline, opt);
+                               goto bad_option;
+                       }
                } else {
                        xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n",
                                        flname, flline, opt);
diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c
index b03a047b..5e6a64b6 100644
--- a/utils/exportfs/exportfs.c
+++ b/utils/exportfs/exportfs.c
@@ -753,6 +753,8 @@  dump(int verbose, int export_format)
                                break;
 #endif
                        }
+                       if (ep->e_priority)
+                               c = dumpopt(c, "priority=%d", ep->e_priority);
                        secinfo_show(stdout, ep);
                        xprtsecinfo_show(stdout, ep);
                        printf("%c\n", (c != '(')? ')' : ' ');
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index c14769e5..8b436ad5 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -100,12 +100,16 @@  entry above) and will match all clients.
 .\".B \-\-public\-root
 .\"option. Multiple specifications of a public root will be ignored.
 .PP
-If a client matches more than one of the specifications above, then
+By default, if a client matches more than one of the specifications above, then
 the first match from the above list order takes precedence - regardless of
 the order they appear on the export line. However, if a client matches
 more than one of the same type of specification (e.g. two netgroups),
 then the first match from the order they appear on the export line takes
 precedence.
+.PP
+The above list order can be overridden/managed via the use of the
+.IR priority=
+export option (see below)
 .SS RPCSEC_GSS security
 You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p"
 to restrict access to clients using rpcsec_gss security.  However, this
@@ -500,6 +504,19 @@  Don't edit or remove the database unless you know
exactly what you're doing.
 is useful when you have used
 .IR auto-fsidnum
 before and don't want further entries stored.
+.TP
+.IR priority= num
+This option allows an export to a client specification to override its default
+mapping order. By default, the precedence order of a match is given in the
+.BR "Machine Name Formats"
+section above. For example, an IP network match will take precedence over
+a wildcard match. To allow the wildcard match to be used instead of the IP
+network match, a
+.IR priority
+of greater than zero is given to the wildcard specification
+
+By default, all exports have a priority of zero. Negative priority settings
+can also be given, which will push the match lower down the precedence order