Message ID | CAK3fRr9swwYJKGHMtUsfj0+hnuQLuiKUfsxOsoYuaa6vUb91Nw@mail.gmail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | nfs-utils: add priority option to override the precedence order of client exports | expand |
Hello, Sorry for the delay. On 5/20/24 8:32 AM, James Pearson wrote: > Patch to override/manage the order of client specification exports > matches via the use of a priority option > > The current client precedence match order is fixed, e.g. an IP subnet > match will be used before a wildcard match, but with this patch the > wildcard match can be given a higher priority (positive integer) value > and will be matched before the subnet match I can not get this patch to apply I'm getting $ patch -p1 < /tmp/patch.diff checking file support/export/auth.c Hunk #1 FAILED at 175. Hunk #2 FAILED at 189. patch: **** malformed patch at line 49: found->m_export.e_priority) And nothing is applied. Now it is a pretty large patch and does change exporting in a major way.. So I'm not comfortable trying to piece-meal that patch together, since it would invalid all your testing. ;-) Could you please use the "git format-patch" command to reformat the patch... and/or break it up into a number of patches, again using that command. tia, steved > > Signed-off-by: James Pearson <jcpearson@gmail.com> > --- > support/export/auth.c | 8 ++++++-- > support/export/cache.c | 14 ++++++++++++++ > support/include/nfslib.h | 1 + > support/nfs/exports.c | 12 ++++++++++++ > utils/exportfs/exportfs.c | 2 ++ > utils/exportfs/exports.man | 19 ++++++++++++++++++- > 6 files changed, 53 insertions(+), 3 deletions(-) > > diff --git a/support/export/auth.c b/support/export/auth.c > index 2d7960f1..3d9e07b5 100644 > --- a/support/export/auth.c > +++ b/support/export/auth.c > @@ -175,7 +175,7 @@ auth_authenticate_newcache(const struct sockaddr *caller, > const char *path, struct addrinfo *ai, > enum auth_error *error) > { > - nfs_export *exp; > + nfs_export *exp, *found; > int i; > > free(my_client.m_hostname); > @@ -189,6 +189,7 @@ auth_authenticate_newcache(const struct sockaddr *caller, > my_exp.m_client = &my_client; > > exp = NULL; > + found = NULL; > for (i = 0; !exp && i < MCL_MAXTYPES; i++) > for (exp = exportlist[i].p_head; exp; exp = exp->m_next) { > if (strcmp(path, exp->m_export.e_path)) > @@ -198,8 +199,11 @@ auth_authenticate_newcache(const struct sockaddr *caller, > if (exp->m_export.e_flags & NFSEXP_V4ROOT) > /* not acceptable for v[23] export */ > continue; > - break; > + /* we have a match - see if it is a higher priority */ > + if (!found || exp->m_export.e_priority > > found->m_export.e_priority) > + found = exp; > } > + exp = found; > *error = not_exported; > if (!exp) > return NULL; > diff --git a/support/export/cache.c b/support/export/cache.c > index 6c0a44a3..dfb0051b 100644 > --- a/support/export/cache.c > +++ b/support/export/cache.c > @@ -877,6 +877,14 @@ static int nfsd_handle_fh(int f, char *bp, int blen) > xlog(L_WARNING, "%s and %s have same > filehandle for %s, using first", > found_path, path, dom); > } else { > + /* same path, see if this one has a > higher export priority */ > + if (exp->m_export.e_priority > > found->e_priority) { > + found = &exp->m_export; > + free(found_path); > + found_path = strdup(path); > + if (found_path == NULL) > + goto out; > + } > /* same path, if one is V4ROOT, choose > the other */ > if (found->e_flags & NFSEXP_V4ROOT) { > found = &exp->m_export; > @@ -1178,6 +1186,12 @@ lookup_export(char *dom, char *path, struct addrinfo *ai) > found_type = i; > continue; > } > + /* see if this one has a higher export priority */ > + if (exp->m_export.e_priority > > found->m_export.e_priority) { > + found = exp; > + found_type = i; > + continue; > + } > /* Always prefer non-V4ROOT exports */ > if (exp->m_export.e_flags & NFSEXP_V4ROOT) > continue; > diff --git a/support/include/nfslib.h b/support/include/nfslib.h > index eff2a486..ab22ecaf 100644 > --- a/support/include/nfslib.h > +++ b/support/include/nfslib.h > @@ -99,6 +99,7 @@ struct exportent { > unsigned int e_ttl; > char * e_realpath; > int e_reexport; > + int e_priority; > }; > > struct rmtabent { > diff --git a/support/nfs/exports.c b/support/nfs/exports.c > index a6816e60..afc139db 100644 > --- a/support/nfs/exports.c > +++ b/support/nfs/exports.c > @@ -106,6 +106,7 @@ static void init_exportent (struct exportent *ee, > int fromkernel) > ee->e_uuid = NULL; > ee->e_ttl = default_ttl; > ee->e_reexport = REEXP_NONE; > + ee->e_priority = 0; > } > > struct exportent * > @@ -374,6 +375,9 @@ putexportent(struct exportent *ep) > fprintf(fp, "%d,", id[i]); > } > fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid); > + if (ep->e_priority) { > + fprintf(fp, ",priority=%d", ep->e_priority); > + } > secinfo_show(fp, ep); > xprtsecinfo_show(fp, ep); > fprintf(fp, ")\n"); > @@ -834,6 +838,14 @@ bad_option: > setflags(NFSEXP_FSID, active, ep); > > saw_reexport = 1; > + } else if (strncmp(opt, "priority=", 9) == 0) { > + char *oe; > + ep->e_priority = strtol(opt+9, &oe, 10); > + if (opt[9]=='\0' || *oe != '\0') { > + xlog(L_ERROR, "%s: %d: bad priority \"%s\"\n", > + flname, flline, opt); > + goto bad_option; > + } > } else { > xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n", > flname, flline, opt); > diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c > index b03a047b..5e6a64b6 100644 > --- a/utils/exportfs/exportfs.c > +++ b/utils/exportfs/exportfs.c > @@ -753,6 +753,8 @@ dump(int verbose, int export_format) > break; > #endif > } > + if (ep->e_priority) > + c = dumpopt(c, "priority=%d", ep->e_priority); > secinfo_show(stdout, ep); > xprtsecinfo_show(stdout, ep); > printf("%c\n", (c != '(')? ')' : ' '); > diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man > index c14769e5..8b436ad5 100644 > --- a/utils/exportfs/exports.man > +++ b/utils/exportfs/exports.man > @@ -100,12 +100,16 @@ entry above) and will match all clients. > .\".B \-\-public\-root > .\"option. Multiple specifications of a public root will be ignored. > .PP > -If a client matches more than one of the specifications above, then > +By default, if a client matches more than one of the specifications above, then > the first match from the above list order takes precedence - regardless of > the order they appear on the export line. However, if a client matches > more than one of the same type of specification (e.g. two netgroups), > then the first match from the order they appear on the export line takes > precedence. > +.PP > +The above list order can be overridden/managed via the use of the > +.IR priority= > +export option (see below) > .SS RPCSEC_GSS security > You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p" > to restrict access to clients using rpcsec_gss security. However, this > @@ -500,6 +504,19 @@ Don't edit or remove the database unless you know > exactly what you're doing. > is useful when you have used > .IR auto-fsidnum > before and don't want further entries stored. > +.TP > +.IR priority= num > +This option allows an export to a client specification to override its default > +mapping order. By default, the precedence order of a match is given in the > +.BR "Machine Name Formats" > +section above. For example, an IP network match will take precedence over > +a wildcard match. To allow the wildcard match to be used instead of the IP > +network match, a > +.IR priority > +of greater than zero is given to the wildcard specification > + > +By default, all exports have a priority of zero. Negative priority settings > +can also be given, which will push the match lower down the precedence order > > > .SS User ID Mapping > -- > 2.40.0 >
Hello, On 6/17/24 3:28 PM, Steve Dickson wrote: > Hello, > > Sorry for the delay. > > On 5/20/24 8:32 AM, James Pearson wrote: >> Patch to override/manage the order of client specification exports >> matches via the use of a priority option >> >> The current client precedence match order is fixed, e.g. an IP subnet >> match will be used before a wildcard match, but with this patch the >> wildcard match can be given a higher priority (positive integer) value >> and will be matched before the subnet match > I can not get this patch to apply I'm getting > $ patch -p1 < /tmp/patch.diff > checking file support/export/auth.c > Hunk #1 FAILED at 175. > Hunk #2 FAILED at 189. > patch: **** malformed patch at line 49: found->m_export.e_priority) > And nothing is applied. > > Now it is a pretty large patch and does change exporting in a > major way.. So I'm not comfortable trying to piece-meal > that patch together, since it would invalid all your testing. ;-) > > Could you please use the "git format-patch" command to > reformat the patch... and/or break it up into a > number of patches, again using that command. Are you still interested in get this committed? It is a fairly large patch so I would like it to apply cleanly so I can test it. steved. > > tia, > > > steved >> >> Signed-off-by: James Pearson <jcpearson@gmail.com> >> --- >> support/export/auth.c | 8 ++++++-- >> support/export/cache.c | 14 ++++++++++++++ >> support/include/nfslib.h | 1 + >> support/nfs/exports.c | 12 ++++++++++++ >> utils/exportfs/exportfs.c | 2 ++ >> utils/exportfs/exports.man | 19 ++++++++++++++++++- >> 6 files changed, 53 insertions(+), 3 deletions(-) >> >> diff --git a/support/export/auth.c b/support/export/auth.c >> index 2d7960f1..3d9e07b5 100644 >> --- a/support/export/auth.c >> +++ b/support/export/auth.c >> @@ -175,7 +175,7 @@ auth_authenticate_newcache(const struct sockaddr >> *caller, >> const char *path, struct addrinfo *ai, >> enum auth_error *error) >> { >> - nfs_export *exp; >> + nfs_export *exp, *found; >> int i; >> >> free(my_client.m_hostname); >> @@ -189,6 +189,7 @@ auth_authenticate_newcache(const struct sockaddr >> *caller, >> my_exp.m_client = &my_client; >> >> exp = NULL; >> + found = NULL; >> for (i = 0; !exp && i < MCL_MAXTYPES; i++) >> for (exp = exportlist[i].p_head; exp; exp = exp- >> >m_next) { >> if (strcmp(path, exp->m_export.e_path)) >> @@ -198,8 +199,11 @@ auth_authenticate_newcache(const struct sockaddr >> *caller, >> if (exp->m_export.e_flags & NFSEXP_V4ROOT) >> /* not acceptable for v[23] export */ >> continue; >> - break; >> + /* we have a match - see if it is a higher >> priority */ >> + if (!found || exp->m_export.e_priority > >> found->m_export.e_priority) >> + found = exp; >> } >> + exp = found; >> *error = not_exported; >> if (!exp) >> return NULL; >> diff --git a/support/export/cache.c b/support/export/cache.c >> index 6c0a44a3..dfb0051b 100644 >> --- a/support/export/cache.c >> +++ b/support/export/cache.c >> @@ -877,6 +877,14 @@ static int nfsd_handle_fh(int f, char *bp, int blen) >> xlog(L_WARNING, "%s and %s have same >> filehandle for %s, using first", >> found_path, path, dom); >> } else { >> + /* same path, see if this one has a >> higher export priority */ >> + if (exp->m_export.e_priority > >> found->e_priority) { >> + found = &exp->m_export; >> + free(found_path); >> + found_path = strdup(path); >> + if (found_path == NULL) >> + goto out; >> + } >> /* same path, if one is V4ROOT, choose >> the other */ >> if (found->e_flags & NFSEXP_V4ROOT) { >> found = &exp->m_export; >> @@ -1178,6 +1186,12 @@ lookup_export(char *dom, char *path, struct >> addrinfo *ai) >> found_type = i; >> continue; >> } >> + /* see if this one has a higher export >> priority */ >> + if (exp->m_export.e_priority > >> found->m_export.e_priority) { >> + found = exp; >> + found_type = i; >> + continue; >> + } >> /* Always prefer non-V4ROOT exports */ >> if (exp->m_export.e_flags & NFSEXP_V4ROOT) >> continue; >> diff --git a/support/include/nfslib.h b/support/include/nfslib.h >> index eff2a486..ab22ecaf 100644 >> --- a/support/include/nfslib.h >> +++ b/support/include/nfslib.h >> @@ -99,6 +99,7 @@ struct exportent { >> unsigned int e_ttl; >> char * e_realpath; >> int e_reexport; >> + int e_priority; >> }; >> >> struct rmtabent { >> diff --git a/support/nfs/exports.c b/support/nfs/exports.c >> index a6816e60..afc139db 100644 >> --- a/support/nfs/exports.c >> +++ b/support/nfs/exports.c >> @@ -106,6 +106,7 @@ static void init_exportent (struct exportent *ee, >> int fromkernel) >> ee->e_uuid = NULL; >> ee->e_ttl = default_ttl; >> ee->e_reexport = REEXP_NONE; >> + ee->e_priority = 0; >> } >> >> struct exportent * >> @@ -374,6 +375,9 @@ putexportent(struct exportent *ep) >> fprintf(fp, "%d,", id[i]); >> } >> fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep- >> >e_anongid); >> + if (ep->e_priority) { >> + fprintf(fp, ",priority=%d", ep->e_priority); >> + } >> secinfo_show(fp, ep); >> xprtsecinfo_show(fp, ep); >> fprintf(fp, ")\n"); >> @@ -834,6 +838,14 @@ bad_option: >> setflags(NFSEXP_FSID, active, ep); >> >> saw_reexport = 1; >> + } else if (strncmp(opt, "priority=", 9) == 0) { >> + char *oe; >> + ep->e_priority = strtol(opt+9, &oe, 10); >> + if (opt[9]=='\0' || *oe != '\0') { >> + xlog(L_ERROR, "%s: %d: bad priority >> \"%s\"\n", >> + flname, flline, opt); >> + goto bad_option; >> + } >> } else { >> xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n", >> flname, flline, opt); >> diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c >> index b03a047b..5e6a64b6 100644 >> --- a/utils/exportfs/exportfs.c >> +++ b/utils/exportfs/exportfs.c >> @@ -753,6 +753,8 @@ dump(int verbose, int export_format) >> break; >> #endif >> } >> + if (ep->e_priority) >> + c = dumpopt(c, "priority=%d", ep- >> >e_priority); >> secinfo_show(stdout, ep); >> xprtsecinfo_show(stdout, ep); >> printf("%c\n", (c != '(')? ')' : ' '); >> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man >> index c14769e5..8b436ad5 100644 >> --- a/utils/exportfs/exports.man >> +++ b/utils/exportfs/exports.man >> @@ -100,12 +100,16 @@ entry above) and will match all clients. >> .\".B \-\-public\-root >> .\"option. Multiple specifications of a public root will be ignored. >> .PP >> -If a client matches more than one of the specifications above, then >> +By default, if a client matches more than one of the specifications >> above, then >> the first match from the above list order takes precedence - >> regardless of >> the order they appear on the export line. However, if a client matches >> more than one of the same type of specification (e.g. two netgroups), >> then the first match from the order they appear on the export line >> takes >> precedence. >> +.PP >> +The above list order can be overridden/managed via the use of the >> +.IR priority= >> +export option (see below) >> .SS RPCSEC_GSS security >> You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p" >> to restrict access to clients using rpcsec_gss security. However, this >> @@ -500,6 +504,19 @@ Don't edit or remove the database unless you know >> exactly what you're doing. >> is useful when you have used >> .IR auto-fsidnum >> before and don't want further entries stored. >> +.TP >> +.IR priority= num >> +This option allows an export to a client specification to override >> its default >> +mapping order. By default, the precedence order of a match is given >> in the >> +.BR "Machine Name Formats" >> +section above. For example, an IP network match will take precedence >> over >> +a wildcard match. To allow the wildcard match to be used instead of >> the IP >> +network match, a >> +.IR priority >> +of greater than zero is given to the wildcard specification >> + >> +By default, all exports have a priority of zero. Negative priority >> settings >> +can also be given, which will push the match lower down the >> precedence order >> >> >> .SS User ID Mapping >> -- >> 2.40.0 >>
diff --git a/support/export/auth.c b/support/export/auth.c index 2d7960f1..3d9e07b5 100644 --- a/support/export/auth.c +++ b/support/export/auth.c @@ -175,7 +175,7 @@ auth_authenticate_newcache(const struct sockaddr *caller, const char *path, struct addrinfo *ai, enum auth_error *error) { - nfs_export *exp; + nfs_export *exp, *found; int i; free(my_client.m_hostname); @@ -189,6 +189,7 @@ auth_authenticate_newcache(const struct sockaddr *caller, my_exp.m_client = &my_client; exp = NULL; + found = NULL; for (i = 0; !exp && i < MCL_MAXTYPES; i++) for (exp = exportlist[i].p_head; exp; exp = exp->m_next) { if (strcmp(path, exp->m_export.e_path)) @@ -198,8 +199,11 @@ auth_authenticate_newcache(const struct sockaddr *caller, if (exp->m_export.e_flags & NFSEXP_V4ROOT) /* not acceptable for v[23] export */ continue; - break; + /* we have a match - see if it is a higher priority */ + if (!found || exp->m_export.e_priority > found->m_export.e_priority) + found = exp; } + exp = found; *error = not_exported; if (!exp) return NULL; diff --git a/support/export/cache.c b/support/export/cache.c index 6c0a44a3..dfb0051b 100644 --- a/support/export/cache.c +++ b/support/export/cache.c @@ -877,6 +877,14 @@ static int nfsd_handle_fh(int f, char *bp, int blen) xlog(L_WARNING, "%s and %s have same filehandle for %s, using first", found_path, path, dom); } else { + /* same path, see if this one has a higher export priority */ + if (exp->m_export.e_priority > found->e_priority) { + found = &exp->m_export; + free(found_path); + found_path = strdup(path); + if (found_path == NULL) + goto out; + } /* same path, if one is V4ROOT, choose the other */ if (found->e_flags & NFSEXP_V4ROOT) { found = &exp->m_export; @@ -1178,6 +1186,12 @@ lookup_export(char *dom, char *path, struct addrinfo *ai) found_type = i; continue; } + /* see if this one has a higher export priority */ + if (exp->m_export.e_priority > found->m_export.e_priority) { + found = exp; + found_type = i; + continue; + } /* Always prefer non-V4ROOT exports */ if (exp->m_export.e_flags & NFSEXP_V4ROOT) continue; diff --git a/support/include/nfslib.h b/support/include/nfslib.h index eff2a486..ab22ecaf 100644 --- a/support/include/nfslib.h +++ b/support/include/nfslib.h @@ -99,6 +99,7 @@ struct exportent { unsigned int e_ttl; char * e_realpath; int e_reexport; + int e_priority; }; struct rmtabent { diff --git a/support/nfs/exports.c b/support/nfs/exports.c index a6816e60..afc139db 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -106,6 +106,7 @@ static void init_exportent (struct exportent *ee, int fromkernel) ee->e_uuid = NULL; ee->e_ttl = default_ttl; ee->e_reexport = REEXP_NONE; + ee->e_priority = 0; } struct exportent * @@ -374,6 +375,9 @@ putexportent(struct exportent *ep) fprintf(fp, "%d,", id[i]); } fprintf(fp, "anonuid=%d,anongid=%d", ep->e_anonuid, ep->e_anongid); + if (ep->e_priority) { + fprintf(fp, ",priority=%d", ep->e_priority); + } secinfo_show(fp, ep); xprtsecinfo_show(fp, ep); fprintf(fp, ")\n"); @@ -834,6 +838,14 @@ bad_option: setflags(NFSEXP_FSID, active, ep); saw_reexport = 1; + } else if (strncmp(opt, "priority=", 9) == 0) { + char *oe; + ep->e_priority = strtol(opt+9, &oe, 10); + if (opt[9]=='\0' || *oe != '\0') { + xlog(L_ERROR, "%s: %d: bad priority \"%s\"\n", + flname, flline, opt); + goto bad_option; + } } else { xlog(L_ERROR, "%s:%d: unknown keyword \"%s\"\n", flname, flline, opt); diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c index b03a047b..5e6a64b6 100644 --- a/utils/exportfs/exportfs.c +++ b/utils/exportfs/exportfs.c @@ -753,6 +753,8 @@ dump(int verbose, int export_format) break; #endif } + if (ep->e_priority) + c = dumpopt(c, "priority=%d", ep->e_priority); secinfo_show(stdout, ep); xprtsecinfo_show(stdout, ep); printf("%c\n", (c != '(')? ')' : ' '); diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index c14769e5..8b436ad5 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -100,12 +100,16 @@ entry above) and will match all clients. .\".B \-\-public\-root .\"option. Multiple specifications of a public root will be ignored. .PP -If a client matches more than one of the specifications above, then +By default, if a client matches more than one of the specifications above, then the first match from the above list order takes precedence - regardless of the order they appear on the export line. However, if a client matches more than one of the same type of specification (e.g. two netgroups), then the first match from the order they appear on the export line takes precedence. +.PP +The above list order can be overridden/managed via the use of the +.IR priority= +export option (see below) .SS RPCSEC_GSS security You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p" to restrict access to clients using rpcsec_gss security. However, this @@ -500,6 +504,19 @@ Don't edit or remove the database unless you know exactly what you're doing. is useful when you have used .IR auto-fsidnum before and don't want further entries stored. +.TP +.IR priority= num +This option allows an export to a client specification to override its default +mapping order. By default, the precedence order of a match is given in the +.BR "Machine Name Formats" +section above. For example, an IP network match will take precedence over +a wildcard match. To allow the wildcard match to be used instead of the IP +network match, a +.IR priority +of greater than zero is given to the wildcard specification + +By default, all exports have a priority of zero. Negative priority settings +can also be given, which will push the match lower down the precedence order
Patch to override/manage the order of client specification exports matches via the use of a priority option The current client precedence match order is fixed, e.g. an IP subnet match will be used before a wildcard match, but with this patch the wildcard match can be given a higher priority (positive integer) value and will be matched before the subnet match Signed-off-by: James Pearson <jcpearson@gmail.com> --- support/export/auth.c | 8 ++++++-- support/export/cache.c | 14 ++++++++++++++ support/include/nfslib.h | 1 + support/nfs/exports.c | 12 ++++++++++++ utils/exportfs/exportfs.c | 2 ++ utils/exportfs/exports.man | 19 ++++++++++++++++++- 6 files changed, 53 insertions(+), 3 deletions(-) .SS User ID Mapping -- 2.40.0