2008-03-26 15:23:12 +00:00
|
|
|
/* $NetBSD: svc.h,v 1.17 2000/06/02 22:57:56 fvdl Exp $ */
|
|
|
|
|
2013-11-25 19:04:36 +00:00
|
|
|
/*-
|
2017-11-20 19:43:44 +00:00
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
*
|
2013-11-25 19:04:36 +00:00
|
|
|
* Copyright (c) 2009, Sun Microsystems, Inc.
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions are met:
|
|
|
|
* - Redistributions of source code must retain the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
* - Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
* and/or other materials provided with the distribution.
|
|
|
|
* - Neither the name of Sun Microsystems, Inc. nor the names of its
|
|
|
|
* contributors may be used to endorse or promote products derived
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
2008-03-26 15:23:12 +00:00
|
|
|
*
|
|
|
|
* from: @(#)svc.h 1.35 88/12/17 SMI
|
|
|
|
* from: @(#)svc.h 1.27 94/04/25 SMI
|
|
|
|
* $FreeBSD$
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* svc.h, Server-side remote procedure call interface.
|
|
|
|
*
|
|
|
|
* Copyright (C) 1986-1993 by Sun Microsystems, Inc.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _RPC_SVC_H
|
|
|
|
#define _RPC_SVC_H
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
|
|
|
#ifdef _KERNEL
|
|
|
|
#include <sys/queue.h>
|
|
|
|
#include <sys/_lock.h>
|
|
|
|
#include <sys/_mutex.h>
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#include <sys/_sx.h>
|
|
|
|
#include <sys/condvar.h>
|
|
|
|
#include <sys/sysctl.h>
|
2008-03-26 15:23:12 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This interface must manage two items concerning remote procedure calling:
|
|
|
|
*
|
|
|
|
* 1) An arbitrary number of transport connections upon which rpc requests
|
|
|
|
* are received. The two most notable transports are TCP and UDP; they are
|
|
|
|
* created and registered by routines in svc_tcp.c and svc_udp.c, respectively;
|
|
|
|
* they in turn call xprt_register and xprt_unregister.
|
|
|
|
*
|
|
|
|
* 2) An arbitrary number of locally registered services. Services are
|
|
|
|
* described by the following four data: program number, version number,
|
|
|
|
* "service dispatch" function, a transport handle, and a boolean that
|
|
|
|
* indicates whether or not the exported program should be registered with a
|
|
|
|
* local binder service; if true the program's number and version and the
|
|
|
|
* port number from the transport handle are registered with the binder.
|
|
|
|
* These data are registered with the rpc svc system via svc_register.
|
|
|
|
*
|
|
|
|
* A service's dispatch function is called whenever an rpc request comes in
|
|
|
|
* on a transport. The request's program and version numbers must match
|
|
|
|
* those of the registered service. The dispatch function is passed two
|
|
|
|
* parameters, struct svc_req * and SVCXPRT *, defined below.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Service control requests
|
|
|
|
*/
|
|
|
|
#define SVCGET_VERSQUIET 1
|
|
|
|
#define SVCSET_VERSQUIET 2
|
|
|
|
#define SVCGET_CONNMAXREC 3
|
|
|
|
#define SVCSET_CONNMAXREC 4
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Operations for rpc_control().
|
|
|
|
*/
|
|
|
|
#define RPC_SVC_CONNMAXREC_SET 0 /* set max rec size, enable nonblock */
|
|
|
|
#define RPC_SVC_CONNMAXREC_GET 1
|
|
|
|
|
|
|
|
enum xprt_stat {
|
|
|
|
XPRT_DIED,
|
|
|
|
XPRT_MOREREQS,
|
|
|
|
XPRT_IDLE
|
|
|
|
};
|
|
|
|
|
|
|
|
struct __rpc_svcxprt;
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
struct mbuf;
|
2008-03-26 15:23:12 +00:00
|
|
|
|
|
|
|
struct xp_ops {
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#ifdef _KERNEL
|
|
|
|
/* receive incoming requests */
|
|
|
|
bool_t (*xp_recv)(struct __rpc_svcxprt *, struct rpc_msg *,
|
|
|
|
struct sockaddr **, struct mbuf **);
|
|
|
|
/* get transport status */
|
|
|
|
enum xprt_stat (*xp_stat)(struct __rpc_svcxprt *);
|
2014-01-03 15:09:59 +00:00
|
|
|
/* get transport acknowledge sequence */
|
|
|
|
bool_t (*xp_ack)(struct __rpc_svcxprt *, uint32_t *);
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
/* send reply */
|
|
|
|
bool_t (*xp_reply)(struct __rpc_svcxprt *, struct rpc_msg *,
|
2014-01-03 15:09:59 +00:00
|
|
|
struct sockaddr *, struct mbuf *, uint32_t *);
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
/* destroy this struct */
|
|
|
|
void (*xp_destroy)(struct __rpc_svcxprt *);
|
|
|
|
/* catch-all function */
|
|
|
|
bool_t (*xp_control)(struct __rpc_svcxprt *, const u_int, void *);
|
|
|
|
#else
|
2008-03-26 15:23:12 +00:00
|
|
|
/* receive incoming requests */
|
|
|
|
bool_t (*xp_recv)(struct __rpc_svcxprt *, struct rpc_msg *);
|
|
|
|
/* get transport status */
|
|
|
|
enum xprt_stat (*xp_stat)(struct __rpc_svcxprt *);
|
|
|
|
/* get arguments */
|
|
|
|
bool_t (*xp_getargs)(struct __rpc_svcxprt *, xdrproc_t, void *);
|
|
|
|
/* send reply */
|
|
|
|
bool_t (*xp_reply)(struct __rpc_svcxprt *, struct rpc_msg *);
|
|
|
|
/* free mem allocated for args */
|
|
|
|
bool_t (*xp_freeargs)(struct __rpc_svcxprt *, xdrproc_t, void *);
|
|
|
|
/* destroy this struct */
|
|
|
|
void (*xp_destroy)(struct __rpc_svcxprt *);
|
|
|
|
#endif
|
|
|
|
};
|
|
|
|
|
|
|
|
#ifndef _KERNEL
|
|
|
|
struct xp_ops2 {
|
|
|
|
/* catch-all function */
|
|
|
|
bool_t (*xp_control)(struct __rpc_svcxprt *, const u_int, void *);
|
|
|
|
};
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef _KERNEL
|
|
|
|
struct __rpc_svcpool;
|
2014-06-08 11:19:32 +00:00
|
|
|
struct __rpc_svcgroup;
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
struct __rpc_svcthread;
|
2008-03-26 15:23:12 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
* Server side transport handle. In the kernel, transports have a
|
|
|
|
* reference count which tracks the number of currently assigned
|
|
|
|
* worker threads plus one for the service pool's reference.
|
2014-07-01 20:47:16 +00:00
|
|
|
* For NFSv4.1 sessions, a reference is also held for a backchannel.
|
2008-03-26 15:23:12 +00:00
|
|
|
*/
|
|
|
|
typedef struct __rpc_svcxprt {
|
|
|
|
#ifdef _KERNEL
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
volatile u_int xp_refs;
|
|
|
|
struct sx xp_lock;
|
2008-03-26 15:23:12 +00:00
|
|
|
struct __rpc_svcpool *xp_pool; /* owning pool (see below) */
|
2014-06-08 11:19:32 +00:00
|
|
|
struct __rpc_svcgroup *xp_group; /* owning group (see below) */
|
2008-03-26 15:23:12 +00:00
|
|
|
TAILQ_ENTRY(__rpc_svcxprt) xp_link;
|
|
|
|
TAILQ_ENTRY(__rpc_svcxprt) xp_alink;
|
|
|
|
bool_t xp_registered; /* xprt_register has been called */
|
|
|
|
bool_t xp_active; /* xprt_active has been called */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
struct __rpc_svcthread *xp_thread; /* assigned service thread */
|
2008-03-26 15:23:12 +00:00
|
|
|
struct socket* xp_socket;
|
|
|
|
const struct xp_ops *xp_ops;
|
|
|
|
char *xp_netid; /* network token */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
struct sockaddr_storage xp_ltaddr; /* local transport address */
|
|
|
|
struct sockaddr_storage xp_rtaddr; /* remote transport address */
|
2008-03-26 15:23:12 +00:00
|
|
|
void *xp_p1; /* private: for use by svc ops */
|
|
|
|
void *xp_p2; /* private: for use by svc ops */
|
|
|
|
void *xp_p3; /* private: for use by svc lib */
|
|
|
|
int xp_type; /* transport type */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
int xp_idletimeout; /* idle time before closing */
|
|
|
|
time_t xp_lastactive; /* time of last RPC */
|
2009-04-16 16:26:35 +00:00
|
|
|
u_int64_t xp_sockref; /* set by nfsv4 to identify socket */
|
2009-06-04 14:13:06 +00:00
|
|
|
int xp_upcallset; /* socket upcall is set up */
|
2014-01-04 15:51:31 +00:00
|
|
|
uint32_t xp_snd_cnt; /* # of bytes to send to socket */
|
|
|
|
uint32_t xp_snt_cnt; /* # of bytes sent to socket */
|
Add TLS support to the kernel RPC.
An internet draft titled "Towards Remote Procedure Call Encryption By Default"
describes how TLS is to be used for Sun RPC, with NFS as an intended use case.
This patch adds client and server support for this to the kernel RPC,
using KERN_TLS and upcalls to daemons for the handshake, peer reset and
other non-application data record cases.
The upcalls to the daemons use three fields to uniquely identify the
TCP connection. They are the time.tv_sec, time.tv_usec of the connection
establshment, plus a 64bit sequence number. The time fields avoid problems
with re-use of the sequence number after a daemon restart.
For the server side, once a Null RPC with AUTH_TLS is received, kernel
reception on the socket is blocked and an upcall to the rpctlssd(8) daemon
is done to perform the TLS handshake. Upon completion, the completion
status of the handshake is stored in xp_tls as flag bits and the reply to
the Null RPC is sent.
For the client, if CLSET_TLS has been set, a new TCP connection will
send the Null RPC with AUTH_TLS to initiate the handshake. The client
kernel RPC code will then block kernel I/O on the socket and do an upcall
to the rpctlscd(8) daemon to perform the handshake.
If the upcall is successful, ct_rcvstate will be maintained to indicate
if/when an upcall is being done.
If non-application data records are received, the code does an upcall to
the appropriate daemon, which will do a SSL_read() of 0 length to handle
the record(s).
When the socket is being shut down, upcalls are done to the daemons, so
that they can perform SSL_shutdown() calls to perform the "peer reset".
The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the
openssl library and, as such, will not be committed to head at this time.
Although the changes done by this patch are fairly numerous, there should
be no semantics change to the kernel RPC at this time.
A future commit to the NFS code will optionally enable use of TLS for NFS.
2020-08-22 03:57:55 +00:00
|
|
|
bool_t xp_dontrcv; /* Do not receive on the socket */
|
|
|
|
uint32_t xp_tls; /* RPC-over-TLS on socket */
|
|
|
|
uint64_t xp_sslsec; /* Userland SSL * */
|
|
|
|
uint64_t xp_sslusec;
|
|
|
|
uint64_t xp_sslrefno;
|
|
|
|
int xp_ngrps; /* Cred. from TLS cert. */
|
|
|
|
uid_t xp_uid;
|
|
|
|
gid_t *xp_gidp;
|
2008-03-26 15:23:12 +00:00
|
|
|
#else
|
|
|
|
int xp_fd;
|
|
|
|
u_short xp_port; /* associated port number */
|
|
|
|
const struct xp_ops *xp_ops;
|
|
|
|
int xp_addrlen; /* length of remote address */
|
|
|
|
struct sockaddr_in xp_raddr; /* remote addr. (backward ABI compat) */
|
|
|
|
/* XXX - fvdl stick this here for ABI backward compat reasons */
|
|
|
|
const struct xp_ops2 *xp_ops2;
|
|
|
|
char *xp_tp; /* transport provider device name */
|
|
|
|
char *xp_netid; /* network token */
|
|
|
|
struct netbuf xp_ltaddr; /* local transport address */
|
|
|
|
struct netbuf xp_rtaddr; /* remote transport address */
|
|
|
|
struct opaque_auth xp_verf; /* raw response verifier */
|
|
|
|
void *xp_p1; /* private: for use by svc ops */
|
|
|
|
void *xp_p2; /* private: for use by svc ops */
|
|
|
|
void *xp_p3; /* private: for use by svc lib */
|
|
|
|
int xp_type; /* transport type */
|
|
|
|
#endif
|
|
|
|
} SVCXPRT;
|
|
|
|
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
/*
|
|
|
|
* Interface to server-side authentication flavors.
|
|
|
|
*/
|
|
|
|
typedef struct __rpc_svcauth {
|
|
|
|
struct svc_auth_ops {
|
|
|
|
#ifdef _KERNEL
|
|
|
|
int (*svc_ah_wrap)(struct __rpc_svcauth *, struct mbuf **);
|
|
|
|
int (*svc_ah_unwrap)(struct __rpc_svcauth *, struct mbuf **);
|
|
|
|
void (*svc_ah_release)(struct __rpc_svcauth *);
|
|
|
|
#else
|
|
|
|
int (*svc_ah_wrap)(struct __rpc_svcauth *, XDR *,
|
|
|
|
xdrproc_t, caddr_t);
|
|
|
|
int (*svc_ah_unwrap)(struct __rpc_svcauth *, XDR *,
|
|
|
|
xdrproc_t, caddr_t);
|
|
|
|
#endif
|
|
|
|
} *svc_ah_ops;
|
|
|
|
void *svc_ah_private;
|
|
|
|
} SVCAUTH;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Server transport extensions (accessed via xp_p3).
|
|
|
|
*/
|
|
|
|
typedef struct __rpc_svcxprt_ext {
|
|
|
|
int xp_flags; /* versquiet */
|
|
|
|
SVCAUTH xp_auth; /* interface to auth methods */
|
|
|
|
} SVCXPRT_EXT;
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
#ifdef _KERNEL
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The services list
|
|
|
|
* Each entry represents a set of procedures (an rpc program).
|
|
|
|
* The dispatch routine takes request structs and runs the
|
2016-05-06 01:49:46 +00:00
|
|
|
* appropriate procedure.
|
2008-03-26 15:23:12 +00:00
|
|
|
*/
|
|
|
|
struct svc_callout {
|
|
|
|
TAILQ_ENTRY(svc_callout) sc_link;
|
|
|
|
rpcprog_t sc_prog;
|
|
|
|
rpcvers_t sc_vers;
|
|
|
|
char *sc_netid;
|
|
|
|
void (*sc_dispatch)(struct svc_req *, SVCXPRT *);
|
|
|
|
};
|
|
|
|
TAILQ_HEAD(svc_callout_list, svc_callout);
|
|
|
|
|
2014-01-03 15:09:59 +00:00
|
|
|
/*
|
|
|
|
* The services connection loss list
|
|
|
|
* The dispatch routine takes request structs and runs the
|
2016-05-06 01:49:46 +00:00
|
|
|
* appropriate procedure.
|
2014-01-03 15:09:59 +00:00
|
|
|
*/
|
|
|
|
struct svc_loss_callout {
|
|
|
|
TAILQ_ENTRY(svc_loss_callout) slc_link;
|
|
|
|
void (*slc_dispatch)(SVCXPRT *);
|
|
|
|
};
|
|
|
|
TAILQ_HEAD(svc_loss_callout_list, svc_loss_callout);
|
|
|
|
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
/*
|
|
|
|
* Service request
|
|
|
|
*/
|
|
|
|
struct svc_req {
|
|
|
|
STAILQ_ENTRY(svc_req) rq_link; /* list of requests for a thread */
|
|
|
|
struct __rpc_svcthread *rq_thread; /* thread which is to execute this */
|
|
|
|
uint32_t rq_xid; /* RPC transaction ID */
|
|
|
|
uint32_t rq_prog; /* service program number */
|
|
|
|
uint32_t rq_vers; /* service protocol version */
|
|
|
|
uint32_t rq_proc; /* the desired procedure */
|
|
|
|
size_t rq_size; /* space used by request */
|
|
|
|
struct mbuf *rq_args; /* XDR-encoded procedure arguments */
|
|
|
|
struct opaque_auth rq_cred; /* raw creds from the wire */
|
|
|
|
struct opaque_auth rq_verf; /* verifier for the reply */
|
|
|
|
void *rq_clntcred; /* read only cooked cred */
|
|
|
|
SVCAUTH rq_auth; /* interface to auth methods */
|
|
|
|
SVCXPRT *rq_xprt; /* associated transport */
|
|
|
|
struct sockaddr *rq_addr; /* reply address or NULL if connected */
|
|
|
|
void *rq_p1; /* application workspace */
|
|
|
|
int rq_p2; /* application workspace */
|
|
|
|
uint64_t rq_p3; /* application workspace */
|
2014-01-03 15:09:59 +00:00
|
|
|
uint32_t rq_reply_seq; /* reply socket sequence # */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
char rq_credarea[3*MAX_AUTH_BYTES];
|
|
|
|
};
|
|
|
|
STAILQ_HEAD(svc_reqlist, svc_req);
|
|
|
|
|
|
|
|
#define svc_getrpccaller(rq) \
|
|
|
|
((rq)->rq_addr ? (rq)->rq_addr : \
|
|
|
|
(struct sockaddr *) &(rq)->rq_xprt->xp_rtaddr)
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This structure is used to manage a thread which is executing
|
|
|
|
* requests from a service pool. A service thread is in one of three
|
|
|
|
* states:
|
|
|
|
*
|
|
|
|
* SVCTHREAD_SLEEPING waiting for a request to process
|
|
|
|
* SVCTHREAD_ACTIVE processing a request
|
|
|
|
* SVCTHREAD_EXITING exiting after finishing current request
|
|
|
|
*
|
|
|
|
* Threads which have no work to process sleep on the pool's sp_active
|
|
|
|
* list. When a transport becomes active, it is assigned a service
|
|
|
|
* thread to read and execute pending RPCs.
|
|
|
|
*/
|
|
|
|
typedef struct __rpc_svcthread {
|
2014-06-08 09:40:26 +00:00
|
|
|
struct mtx_padalign st_lock; /* protects st_reqs field */
|
2013-12-30 20:23:15 +00:00
|
|
|
struct __rpc_svcpool *st_pool;
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
SVCXPRT *st_xprt; /* transport we are processing */
|
|
|
|
struct svc_reqlist st_reqs; /* RPC requests to execute */
|
|
|
|
struct cv st_cond; /* sleeping for work */
|
|
|
|
LIST_ENTRY(__rpc_svcthread) st_ilink; /* idle threads list */
|
|
|
|
LIST_ENTRY(__rpc_svcthread) st_alink; /* application thread list */
|
2013-12-30 20:23:15 +00:00
|
|
|
int st_p2; /* application workspace */
|
|
|
|
uint64_t st_p3; /* application workspace */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
} SVCTHREAD;
|
|
|
|
LIST_HEAD(svcthread_list, __rpc_svcthread);
|
|
|
|
|
2014-06-08 11:19:32 +00:00
|
|
|
/*
|
|
|
|
* A thread group contain all information needed to assign subset of
|
|
|
|
* transports to subset of threads. On systems with many CPUs and many
|
|
|
|
* threads that allows to reduce lock congestion and improve performance.
|
|
|
|
* Hundreds of threads on dozens of CPUs sharing the single pool lock do
|
|
|
|
* not scale well otherwise.
|
|
|
|
*/
|
|
|
|
TAILQ_HEAD(svcxprt_list, __rpc_svcxprt);
|
|
|
|
enum svcpool_state {
|
|
|
|
SVCPOOL_INIT, /* svc_run not called yet */
|
|
|
|
SVCPOOL_ACTIVE, /* normal running state */
|
|
|
|
SVCPOOL_THREADWANTED, /* new service thread requested */
|
|
|
|
SVCPOOL_THREADSTARTING, /* new service thread started */
|
|
|
|
SVCPOOL_CLOSING /* svc_exit called */
|
|
|
|
};
|
|
|
|
typedef struct __rpc_svcgroup {
|
|
|
|
struct mtx_padalign sg_lock; /* protect the thread/req lists */
|
|
|
|
struct __rpc_svcpool *sg_pool;
|
|
|
|
enum svcpool_state sg_state; /* current pool state */
|
|
|
|
struct svcxprt_list sg_xlist; /* all transports in the group */
|
|
|
|
struct svcxprt_list sg_active; /* transports needing service */
|
|
|
|
struct svcthread_list sg_idlethreads; /* idle service threads */
|
|
|
|
|
|
|
|
int sg_minthreads; /* minimum service thread count */
|
|
|
|
int sg_maxthreads; /* maximum service thread count */
|
|
|
|
int sg_threadcount; /* current service thread count */
|
|
|
|
time_t sg_lastcreatetime; /* when we last started a thread */
|
|
|
|
time_t sg_lastidlecheck; /* when we last checked idle transports */
|
|
|
|
} SVCGROUP;
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
/*
|
|
|
|
* In the kernel, we can't use global variables to store lists of
|
|
|
|
* transports etc. since otherwise we could not have two unrelated RPC
|
|
|
|
* services running, each on its own thread. We solve this by
|
|
|
|
* importing a tiny part of a Solaris kernel concept, SVCPOOL.
|
|
|
|
*
|
|
|
|
* A service pool contains a set of transports and service callbacks
|
|
|
|
* for a set of related RPC services. The pool handle should be passed
|
|
|
|
* when creating new transports etc. Future work may include extending
|
|
|
|
* this to support something similar to the Solaris multi-threaded RPC
|
|
|
|
* server.
|
|
|
|
*/
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
typedef SVCTHREAD *pool_assign_fn(SVCTHREAD *, struct svc_req *);
|
|
|
|
typedef void pool_done_fn(SVCTHREAD *, struct svc_req *);
|
2014-06-08 11:19:32 +00:00
|
|
|
#define SVC_MAXGROUPS 16
|
2008-03-26 15:23:12 +00:00
|
|
|
typedef struct __rpc_svcpool {
|
2014-01-04 15:51:31 +00:00
|
|
|
struct mtx_padalign sp_lock; /* protect the transport lists */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
const char *sp_name; /* pool name (e.g. "nfsd", "NLM" */
|
|
|
|
enum svcpool_state sp_state; /* current pool state */
|
|
|
|
struct proc *sp_proc; /* process which is in svc_run */
|
2008-03-26 15:23:12 +00:00
|
|
|
struct svc_callout_list sp_callouts; /* (prog,vers)->dispatch list */
|
2014-01-03 15:09:59 +00:00
|
|
|
struct svc_loss_callout_list sp_lcallouts; /* loss->dispatch list */
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
int sp_minthreads; /* minimum service thread count */
|
|
|
|
int sp_maxthreads; /* maximum service thread count */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Hooks to allow an application to control request to thread
|
|
|
|
* placement.
|
|
|
|
*/
|
|
|
|
pool_assign_fn *sp_assign;
|
|
|
|
pool_done_fn *sp_done;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These variables are used to put an upper bound on the
|
|
|
|
* amount of memory used by RPC requests which are queued
|
|
|
|
* waiting for execution.
|
|
|
|
*/
|
Fix overflow bugs in and remove obsolete limit from kernel RPC
implementation.
The kernel RPC code, which is responsible for the low-level scheduling
of incoming NFS requests, contains a throttling mechanism that
prevents too much kernel memory from being tied up by NFS requests
that are being serviced. When the throttle is engaged, the RPC layer
stops servicing incoming NFS sockets, resulting ultimately in
backpressure on the clients (if they're using TCP). However, this is
a very heavy-handed mechanism as it prevents all clients from making
any requests, regardless of how heavy or light they are. (Thus, when
engaged, the throttle often prevents clients from even mounting the
filesystem.) The throttle mechanism applies specifically to requests
that have been received by the RPC layer (from a TCP or UDP socket)
and are queued waiting to be serviced by one of the nfsd threads; it
does not limit the amount of backlog in the socket buffers.
The original implementation limited the total bytes of queued requests
to the minimum of a quarter of (nmbclusters * MCLBYTES) and 45 MiB.
The former limit seems reasonable, since requests queued in the socket
buffers and replies being constructed to the requests in progress will
all require some amount of network memory, but the 45 MiB limit is
plainly ridiculous for modern memory sizes: when running 256 service
threads on a busy server, 45 MiB would result in just a single
maximum-sized NFS3PROC_WRITE queued per thread before throttling.
Removing this limit exposed integer-overflow bugs in the original
computation, and related bugs in the routines that actually account
for the amount of traffic enqueued for service threads. The old
implementation also attempted to reduce accounting overhead by
batching updates until each queue is fully drained, but this is prone
to livelock, resulting in repeated accumulate-throttle-drain cycles on
a busy server. Various data types are changed to long or unsigned
long; explicit 64-bit types are not used due to the unavailability of
64-bit atomics on many 32-bit platforms, but those platforms also
cannot support nmbclusters large enough to cause overflow.
This code (in a 10.1 kernel) is presently running on production NFS
servers at CSAIL.
Summary of this revision:
* Removes 45 MiB limit on requests queued for nfsd service threads
* Fixes integer-overflow and signedness bugs
* Avoids unnecessary throttling by not deferring accounting for
completed requests
Differential Revision: https://reviews.freebsd.org/D2165
Reviewed by: rmacklem, mav
MFC after: 30 days
Relnotes: yes
Sponsored by: MIT Computer Science & Artificial Intelligence Laboratory
2015-04-01 00:45:47 +00:00
|
|
|
unsigned long sp_space_low;
|
|
|
|
unsigned long sp_space_high;
|
|
|
|
unsigned long sp_space_used;
|
|
|
|
unsigned long sp_space_used_highest;
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
bool_t sp_space_throttled;
|
|
|
|
int sp_space_throttle_count;
|
|
|
|
|
|
|
|
struct replay_cache *sp_rcache; /* optional replay cache */
|
|
|
|
struct sysctl_ctx_list sp_sysctl;
|
2014-06-08 11:19:32 +00:00
|
|
|
|
|
|
|
int sp_groupcount; /* Number of groups in the pool. */
|
|
|
|
int sp_nextgroup; /* Next group to assign port. */
|
|
|
|
SVCGROUP sp_groups[SVC_MAXGROUPS]; /* Thread/port groups. */
|
2008-03-26 15:23:12 +00:00
|
|
|
} SVCPOOL;
|
|
|
|
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#else
|
2008-03-26 15:23:12 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Service request
|
|
|
|
*/
|
|
|
|
struct svc_req {
|
|
|
|
uint32_t rq_prog; /* service program number */
|
|
|
|
uint32_t rq_vers; /* service protocol version */
|
|
|
|
uint32_t rq_proc; /* the desired procedure */
|
|
|
|
struct opaque_auth rq_cred; /* raw creds from the wire */
|
|
|
|
void *rq_clntcred; /* read only cooked cred */
|
|
|
|
SVCXPRT *rq_xprt; /* associated transport */
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Approved way of getting address of caller
|
|
|
|
*/
|
|
|
|
#define svc_getrpccaller(x) (&(x)->xp_rtaddr)
|
|
|
|
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#endif
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
/*
|
|
|
|
* Operations defined on an SVCXPRT handle
|
|
|
|
*
|
|
|
|
* SVCXPRT *xprt;
|
|
|
|
* struct rpc_msg *msg;
|
|
|
|
* xdrproc_t xargs;
|
|
|
|
* void * argsp;
|
|
|
|
*/
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#ifdef _KERNEL
|
|
|
|
|
|
|
|
#define SVC_ACQUIRE(xprt) \
|
|
|
|
refcount_acquire(&(xprt)->xp_refs)
|
|
|
|
|
|
|
|
#define SVC_RELEASE(xprt) \
|
|
|
|
if (refcount_release(&(xprt)->xp_refs)) \
|
|
|
|
SVC_DESTROY(xprt)
|
|
|
|
|
|
|
|
#define SVC_RECV(xprt, msg, addr, args) \
|
|
|
|
(*(xprt)->xp_ops->xp_recv)((xprt), (msg), (addr), (args))
|
|
|
|
|
|
|
|
#define SVC_STAT(xprt) \
|
|
|
|
(*(xprt)->xp_ops->xp_stat)(xprt)
|
|
|
|
|
2014-01-03 15:09:59 +00:00
|
|
|
#define SVC_ACK(xprt, ack) \
|
2014-01-06 12:40:46 +00:00
|
|
|
((xprt)->xp_ops->xp_ack == NULL ? FALSE : \
|
2014-01-03 15:09:59 +00:00
|
|
|
((ack) == NULL ? TRUE : (*(xprt)->xp_ops->xp_ack)((xprt), (ack))))
|
|
|
|
|
|
|
|
#define SVC_REPLY(xprt, msg, addr, m, seq) \
|
|
|
|
(*(xprt)->xp_ops->xp_reply) ((xprt), (msg), (addr), (m), (seq))
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
|
|
|
|
#define SVC_DESTROY(xprt) \
|
|
|
|
(*(xprt)->xp_ops->xp_destroy)(xprt)
|
|
|
|
|
|
|
|
#define SVC_CONTROL(xprt, rq, in) \
|
|
|
|
(*(xprt)->xp_ops->xp_control)((xprt), (rq), (in))
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
#define SVC_RECV(xprt, msg) \
|
|
|
|
(*(xprt)->xp_ops->xp_recv)((xprt), (msg))
|
|
|
|
#define svc_recv(xprt, msg) \
|
|
|
|
(*(xprt)->xp_ops->xp_recv)((xprt), (msg))
|
|
|
|
|
|
|
|
#define SVC_STAT(xprt) \
|
|
|
|
(*(xprt)->xp_ops->xp_stat)(xprt)
|
|
|
|
#define svc_stat(xprt) \
|
|
|
|
(*(xprt)->xp_ops->xp_stat)(xprt)
|
|
|
|
|
|
|
|
#define SVC_GETARGS(xprt, xargs, argsp) \
|
|
|
|
(*(xprt)->xp_ops->xp_getargs)((xprt), (xargs), (argsp))
|
|
|
|
#define svc_getargs(xprt, xargs, argsp) \
|
|
|
|
(*(xprt)->xp_ops->xp_getargs)((xprt), (xargs), (argsp))
|
|
|
|
|
|
|
|
#define SVC_REPLY(xprt, msg) \
|
|
|
|
(*(xprt)->xp_ops->xp_reply) ((xprt), (msg))
|
|
|
|
#define svc_reply(xprt, msg) \
|
|
|
|
(*(xprt)->xp_ops->xp_reply) ((xprt), (msg))
|
|
|
|
|
|
|
|
#define SVC_FREEARGS(xprt, xargs, argsp) \
|
|
|
|
(*(xprt)->xp_ops->xp_freeargs)((xprt), (xargs), (argsp))
|
|
|
|
#define svc_freeargs(xprt, xargs, argsp) \
|
|
|
|
(*(xprt)->xp_ops->xp_freeargs)((xprt), (xargs), (argsp))
|
|
|
|
|
|
|
|
#define SVC_DESTROY(xprt) \
|
|
|
|
(*(xprt)->xp_ops->xp_destroy)(xprt)
|
|
|
|
#define svc_destroy(xprt) \
|
|
|
|
(*(xprt)->xp_ops->xp_destroy)(xprt)
|
|
|
|
|
|
|
|
#define SVC_CONTROL(xprt, rq, in) \
|
|
|
|
(*(xprt)->xp_ops2->xp_control)((xprt), (rq), (in))
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#define SVC_EXT(xprt) \
|
|
|
|
((SVCXPRT_EXT *) xprt->xp_p3)
|
|
|
|
|
|
|
|
#define SVC_AUTH(xprt) \
|
|
|
|
(SVC_EXT(xprt)->xp_auth)
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Operations defined on an SVCAUTH handle
|
|
|
|
*/
|
|
|
|
#ifdef _KERNEL
|
|
|
|
#define SVCAUTH_WRAP(auth, mp) \
|
|
|
|
((auth)->svc_ah_ops->svc_ah_wrap(auth, mp))
|
|
|
|
#define SVCAUTH_UNWRAP(auth, mp) \
|
|
|
|
((auth)->svc_ah_ops->svc_ah_unwrap(auth, mp))
|
|
|
|
#define SVCAUTH_RELEASE(auth) \
|
|
|
|
((auth)->svc_ah_ops->svc_ah_release(auth))
|
|
|
|
#else
|
|
|
|
#define SVCAUTH_WRAP(auth, xdrs, xfunc, xwhere) \
|
|
|
|
((auth)->svc_ah_ops->svc_ah_wrap(auth, xdrs, xfunc, xwhere))
|
|
|
|
#define SVCAUTH_UNWRAP(auth, xdrs, xfunc, xwhere) \
|
|
|
|
((auth)->svc_ah_ops->svc_ah_unwrap(auth, xdrs, xfunc, xwhere))
|
2008-03-26 15:23:12 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Service registration
|
|
|
|
*
|
|
|
|
* svc_reg(xprt, prog, vers, dispatch, nconf)
|
|
|
|
* const SVCXPRT *xprt;
|
|
|
|
* const rpcprog_t prog;
|
|
|
|
* const rpcvers_t vers;
|
|
|
|
* const void (*dispatch)();
|
|
|
|
* const struct netconfig *nconf;
|
|
|
|
*/
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern bool_t svc_reg(SVCXPRT *, const rpcprog_t, const rpcvers_t,
|
|
|
|
void (*)(struct svc_req *, SVCXPRT *),
|
|
|
|
const struct netconfig *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Service un-registration
|
|
|
|
*
|
|
|
|
* svc_unreg(prog, vers)
|
|
|
|
* const rpcprog_t prog;
|
|
|
|
* const rpcvers_t vers;
|
|
|
|
*/
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
#ifdef _KERNEL
|
|
|
|
extern void svc_unreg(SVCPOOL *, const rpcprog_t, const rpcvers_t);
|
|
|
|
#else
|
|
|
|
extern void svc_unreg(const rpcprog_t, const rpcvers_t);
|
|
|
|
#endif
|
|
|
|
__END_DECLS
|
|
|
|
|
2014-01-08 22:37:18 +00:00
|
|
|
#ifdef _KERNEL
|
2014-01-03 15:09:59 +00:00
|
|
|
/*
|
|
|
|
* Service connection loss registration
|
|
|
|
*
|
|
|
|
* svc_loss_reg(xprt, dispatch)
|
|
|
|
* const SVCXPRT *xprt;
|
|
|
|
* const void (*dispatch)();
|
|
|
|
*/
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern bool_t svc_loss_reg(SVCXPRT *, void (*)(SVCXPRT *));
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Service connection loss un-registration
|
|
|
|
*
|
|
|
|
* svc_loss_unreg(xprt, dispatch)
|
|
|
|
* const SVCXPRT *xprt;
|
|
|
|
* const void (*dispatch)();
|
|
|
|
*/
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern void svc_loss_unreg(SVCPOOL *, void (*)(SVCXPRT *));
|
|
|
|
__END_DECLS
|
2014-01-08 22:37:18 +00:00
|
|
|
#endif
|
2014-01-03 15:09:59 +00:00
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
/*
|
|
|
|
* Transport registration.
|
|
|
|
*
|
|
|
|
* xprt_register(xprt)
|
|
|
|
* SVCXPRT *xprt;
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern void xprt_register(SVCXPRT *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Transport un-register
|
|
|
|
*
|
|
|
|
* xprt_unregister(xprt)
|
|
|
|
* SVCXPRT *xprt;
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern void xprt_unregister(SVCXPRT *);
|
|
|
|
extern void __xprt_unregister_unlocked(SVCXPRT *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
#ifdef _KERNEL
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Called when a transport has pending requests.
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern void xprt_active(SVCXPRT *);
|
|
|
|
extern void xprt_inactive(SVCXPRT *);
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
extern void xprt_inactive_locked(SVCXPRT *);
|
2013-12-29 11:19:09 +00:00
|
|
|
extern void xprt_inactive_self(SVCXPRT *);
|
2008-03-26 15:23:12 +00:00
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* When the service routine is called, it must first check to see if it
|
|
|
|
* knows about the procedure; if not, it should call svcerr_noproc
|
|
|
|
* and return. If so, it should deserialize its arguments via
|
|
|
|
* SVC_GETARGS (defined above). If the deserialization does not work,
|
|
|
|
* svcerr_decode should be called followed by a return. Successful
|
|
|
|
* decoding of the arguments should be followed the execution of the
|
|
|
|
* procedure's code and a call to svc_sendreply.
|
|
|
|
*
|
|
|
|
* Also, if the service refuses to execute the procedure due to too-
|
|
|
|
* weak authentication parameters, svcerr_weakauth should be called.
|
|
|
|
* Note: do not confuse access-control failure with weak authentication!
|
|
|
|
*
|
|
|
|
* NB: In pure implementations of rpc, the caller always waits for a reply
|
|
|
|
* msg. This message is sent when svc_sendreply is called.
|
|
|
|
* Therefore pure service implementations should always call
|
|
|
|
* svc_sendreply even if the function logically returns void; use
|
|
|
|
* xdr.h - xdr_void for the xdr routine. HOWEVER, tcp based rpc allows
|
|
|
|
* for the abuse of pure rpc via batched calling or pipelining. In the
|
|
|
|
* case of a batched call, svc_sendreply should NOT be called since
|
|
|
|
* this would send a return message, which is what batching tries to avoid.
|
|
|
|
* It is the service/protocol writer's responsibility to know which calls are
|
|
|
|
* batched and which are not. Warning: responding to batch calls may
|
|
|
|
* deadlock the caller and server processes!
|
|
|
|
*/
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#ifdef _KERNEL
|
|
|
|
extern bool_t svc_sendreply(struct svc_req *, xdrproc_t, void *);
|
|
|
|
extern bool_t svc_sendreply_mbuf(struct svc_req *, struct mbuf *);
|
|
|
|
extern void svcerr_decode(struct svc_req *);
|
|
|
|
extern void svcerr_weakauth(struct svc_req *);
|
|
|
|
extern void svcerr_noproc(struct svc_req *);
|
|
|
|
extern void svcerr_progvers(struct svc_req *, rpcvers_t, rpcvers_t);
|
|
|
|
extern void svcerr_auth(struct svc_req *, enum auth_stat);
|
|
|
|
extern void svcerr_noprog(struct svc_req *);
|
|
|
|
extern void svcerr_systemerr(struct svc_req *);
|
|
|
|
#else
|
2008-03-26 15:23:12 +00:00
|
|
|
extern bool_t svc_sendreply(SVCXPRT *, xdrproc_t, void *);
|
|
|
|
extern void svcerr_decode(SVCXPRT *);
|
|
|
|
extern void svcerr_weakauth(SVCXPRT *);
|
|
|
|
extern void svcerr_noproc(SVCXPRT *);
|
|
|
|
extern void svcerr_progvers(SVCXPRT *, rpcvers_t, rpcvers_t);
|
|
|
|
extern void svcerr_auth(SVCXPRT *, enum auth_stat);
|
|
|
|
extern void svcerr_noprog(SVCXPRT *);
|
|
|
|
extern void svcerr_systemerr(SVCXPRT *);
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
#endif
|
2008-03-26 15:23:12 +00:00
|
|
|
extern int rpc_reg(rpcprog_t, rpcvers_t, rpcproc_t,
|
|
|
|
char *(*)(char *), xdrproc_t, xdrproc_t,
|
|
|
|
char *);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Lowest level dispatching -OR- who owns this process anyway.
|
|
|
|
* Somebody has to wait for incoming requests and then call the correct
|
|
|
|
* service routine. The routine svc_run does infinite waiting; i.e.,
|
|
|
|
* svc_run never returns.
|
|
|
|
* Since another (co-existant) package may wish to selectively wait for
|
|
|
|
* incoming calls or other events outside of the rpc architecture, the
|
|
|
|
* routine svc_getreq is provided. It must be passed readfds, the
|
|
|
|
* "in-place" results of a select system call (see select, section 2).
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _KERNEL
|
|
|
|
/*
|
|
|
|
* Global keeper of rpc service descriptors in use
|
|
|
|
* dynamic; must be inspected before each call to select
|
|
|
|
*/
|
|
|
|
extern int svc_maxfd;
|
|
|
|
#ifdef FD_SETSIZE
|
|
|
|
extern fd_set svc_fdset;
|
|
|
|
#define svc_fds svc_fdset.fds_bits[0] /* compatibility */
|
|
|
|
#else
|
|
|
|
extern int svc_fds;
|
|
|
|
#endif /* def FD_SETSIZE */
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* a small program implemented by the svc_rpc implementation itself;
|
|
|
|
* also see clnt.h for protocol numbers.
|
|
|
|
*/
|
|
|
|
__BEGIN_DECLS
|
|
|
|
extern void rpctest_service(void);
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
extern SVCXPRT *svc_xprt_alloc(void);
|
|
|
|
extern void svc_xprt_free(SVCXPRT *);
|
2008-03-26 15:23:12 +00:00
|
|
|
#ifndef _KERNEL
|
|
|
|
extern void svc_getreq(int);
|
|
|
|
extern void svc_getreqset(fd_set *);
|
|
|
|
extern void svc_getreq_common(int);
|
|
|
|
struct pollfd;
|
|
|
|
extern void svc_getreq_poll(struct pollfd *, int);
|
|
|
|
extern void svc_run(void);
|
|
|
|
extern void svc_exit(void);
|
|
|
|
#else
|
|
|
|
extern void svc_run(SVCPOOL *);
|
|
|
|
extern void svc_exit(SVCPOOL *);
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
extern bool_t svc_getargs(struct svc_req *, xdrproc_t, void *);
|
|
|
|
extern bool_t svc_freeargs(struct svc_req *, xdrproc_t, void *);
|
|
|
|
extern void svc_freereq(struct svc_req *);
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
#endif
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Socket to use on svcxxx_create call to get default socket
|
|
|
|
*/
|
|
|
|
#define RPC_ANYSOCK -1
|
|
|
|
#define RPC_ANYFD RPC_ANYSOCK
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These are the existing service side transport implementations
|
|
|
|
*/
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
|
|
|
|
#ifdef _KERNEL
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Create a new service pool.
|
|
|
|
*/
|
Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
2008-11-03 10:38:00 +00:00
|
|
|
extern SVCPOOL* svcpool_create(const char *name,
|
|
|
|
struct sysctl_oid_list *sysctl_base);
|
2008-03-26 15:23:12 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Destroy a service pool, including all registered transports.
|
|
|
|
*/
|
|
|
|
extern void svcpool_destroy(SVCPOOL *pool);
|
|
|
|
|
2017-02-14 17:49:08 +00:00
|
|
|
/*
|
|
|
|
* Close a service pool. Similar to svcpool_destroy(), but it does not
|
|
|
|
* free the data structures. As such, the pool can be used again.
|
|
|
|
*/
|
|
|
|
extern void svcpool_close(SVCPOOL *pool);
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
/*
|
|
|
|
* Transport independent svc_create routine.
|
|
|
|
*/
|
|
|
|
extern int svc_create(SVCPOOL *, void (*)(struct svc_req *, SVCXPRT *),
|
|
|
|
const rpcprog_t, const rpcvers_t, const char *);
|
|
|
|
/*
|
|
|
|
* void (*dispatch)(); -- dispatch routine
|
|
|
|
* const rpcprog_t prognum; -- program number
|
|
|
|
* const rpcvers_t versnum; -- version number
|
|
|
|
* const char *nettype; -- network type
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Generic server creation routine. It takes a netconfig structure
|
|
|
|
* instead of a nettype.
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern SVCXPRT *svc_tp_create(SVCPOOL *, void (*)(struct svc_req *, SVCXPRT *),
|
|
|
|
const rpcprog_t, const rpcvers_t, const char *uaddr,
|
|
|
|
const struct netconfig *);
|
|
|
|
/*
|
|
|
|
* void (*dispatch)(); -- dispatch routine
|
|
|
|
* const rpcprog_t prognum; -- program number
|
|
|
|
* const rpcvers_t versnum; -- version number
|
|
|
|
* const char *uaddr; -- universal address of service
|
|
|
|
* const struct netconfig *nconf; -- netconfig structure
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern SVCXPRT *svc_dg_create(SVCPOOL *, struct socket *,
|
|
|
|
const size_t, const size_t);
|
|
|
|
/*
|
|
|
|
* struct socket *; -- open connection
|
|
|
|
* const size_t sendsize; -- max send size
|
|
|
|
* const size_t recvsize; -- max recv size
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern SVCXPRT *svc_vc_create(SVCPOOL *, struct socket *,
|
|
|
|
const size_t, const size_t);
|
|
|
|
/*
|
|
|
|
* struct socket *; -- open connection
|
|
|
|
* const size_t sendsize; -- max send size
|
|
|
|
* const size_t recvsize; -- max recv size
|
|
|
|
*/
|
|
|
|
|
2012-12-08 00:29:16 +00:00
|
|
|
extern SVCXPRT *svc_vc_create_backchannel(SVCPOOL *);
|
|
|
|
|
2014-07-01 20:47:16 +00:00
|
|
|
extern void *clnt_bck_create(struct socket *, const rpcprog_t, const rpcvers_t);
|
|
|
|
/*
|
|
|
|
* struct socket *; -- server transport socket
|
|
|
|
* const rpcprog_t prog; -- RPC program number
|
|
|
|
* const rpcvers_t vers; -- RPC program version
|
|
|
|
*/
|
|
|
|
|
2008-03-26 15:23:12 +00:00
|
|
|
/*
|
|
|
|
* Generic TLI create routine
|
|
|
|
*/
|
|
|
|
extern SVCXPRT *svc_tli_create(SVCPOOL *, struct socket *,
|
|
|
|
const struct netconfig *, const struct t_bind *, const size_t, const size_t);
|
|
|
|
/*
|
|
|
|
* struct socket * so; -- connection end point
|
|
|
|
* const struct netconfig *nconf; -- netconfig structure for network
|
|
|
|
* const struct t_bind *bindaddr; -- local bind address
|
|
|
|
* const size_t sendsz; -- max sendsize
|
|
|
|
* const size_t recvsz; -- max recvsize
|
|
|
|
*/
|
|
|
|
|
|
|
|
#else /* !_KERNEL */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Transport independent svc_create routine.
|
|
|
|
*/
|
|
|
|
extern int svc_create(void (*)(struct svc_req *, SVCXPRT *),
|
|
|
|
const rpcprog_t, const rpcvers_t, const char *);
|
|
|
|
/*
|
|
|
|
* void (*dispatch)(); -- dispatch routine
|
|
|
|
* const rpcprog_t prognum; -- program number
|
|
|
|
* const rpcvers_t versnum; -- version number
|
|
|
|
* const char *nettype; -- network type
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Generic server creation routine. It takes a netconfig structure
|
|
|
|
* instead of a nettype.
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern SVCXPRT *svc_tp_create(void (*)(struct svc_req *, SVCXPRT *),
|
|
|
|
const rpcprog_t, const rpcvers_t,
|
|
|
|
const struct netconfig *);
|
|
|
|
/*
|
|
|
|
* void (*dispatch)(); -- dispatch routine
|
|
|
|
* const rpcprog_t prognum; -- program number
|
|
|
|
* const rpcvers_t versnum; -- version number
|
|
|
|
* const struct netconfig *nconf; -- netconfig structure
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Generic TLI create routine
|
|
|
|
*/
|
|
|
|
extern SVCXPRT *svc_tli_create(const int, const struct netconfig *,
|
|
|
|
const struct t_bind *, const u_int,
|
|
|
|
const u_int);
|
|
|
|
/*
|
|
|
|
* const int fd; -- connection end point
|
|
|
|
* const struct netconfig *nconf; -- netconfig structure for network
|
|
|
|
* const struct t_bind *bindaddr; -- local bind address
|
|
|
|
* const u_int sendsz; -- max sendsize
|
|
|
|
* const u_int recvsz; -- max recvsize
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Connectionless and connectionful create routines
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern SVCXPRT *svc_vc_create(const int, const u_int, const u_int);
|
|
|
|
/*
|
|
|
|
* const int fd; -- open connection end point
|
|
|
|
* const u_int sendsize; -- max send size
|
|
|
|
* const u_int recvsize; -- max recv size
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Added for compatibility to old rpc 4.0. Obsoleted by svc_vc_create().
|
|
|
|
*/
|
|
|
|
extern SVCXPRT *svcunix_create(int, u_int, u_int, char *);
|
|
|
|
|
|
|
|
extern SVCXPRT *svc_dg_create(const int, const u_int, const u_int);
|
|
|
|
/*
|
|
|
|
* const int fd; -- open connection
|
|
|
|
* const u_int sendsize; -- max send size
|
|
|
|
* const u_int recvsize; -- max recv size
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* the routine takes any *open* connection
|
|
|
|
* descriptor as its first input and is used for open connections.
|
|
|
|
*/
|
|
|
|
extern SVCXPRT *svc_fd_create(const int, const u_int, const u_int);
|
|
|
|
/*
|
|
|
|
* const int fd; -- open connection end point
|
|
|
|
* const u_int sendsize; -- max send size
|
|
|
|
* const u_int recvsize; -- max recv size
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Added for compatibility to old rpc 4.0. Obsoleted by svc_fd_create().
|
|
|
|
*/
|
|
|
|
extern SVCXPRT *svcunixfd_create(int, u_int, u_int);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Memory based rpc (for speed check and testing)
|
|
|
|
*/
|
|
|
|
extern SVCXPRT *svc_raw_create(void);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* svc_dg_enable_cache() enables the cache on dg transports.
|
|
|
|
*/
|
|
|
|
int svc_dg_enablecache(SVCXPRT *, const u_int);
|
|
|
|
|
|
|
|
int __rpc_get_local_uid(SVCXPRT *_transp, uid_t *_uid);
|
|
|
|
|
|
|
|
#endif /* !_KERNEL */
|
|
|
|
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
#ifndef _KERNEL
|
|
|
|
/* for backward compatibility */
|
|
|
|
#include <rpc/svc_soc.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#endif /* !_RPC_SVC_H */
|