--- nfsuserd.c.sav 2015-12-09 18:46:29.284972000 -0500 +++ nfsuserd.c 2015-12-09 18:59:33.564498000 -0500 @@ -40,6 +40,10 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse #include #include +#include + +#include + #include #include @@ -94,6 +98,7 @@ gid_t defaultgid = (gid_t)32767; int verbose = 0, im_a_slave = 0, nfsuserdcnt = -1, forcestart = 0; int defusertimeout = DEFUSERTIMEOUT, manage_gids = 0; pid_t slaves[MAXNFSUSERD]; +struct in_addr fromip; int main(int argc, char *argv[]) @@ -144,6 +149,7 @@ main(int argc, char *argv[]) } } } + fromip.s_addr = inet_addr("127.0.0.1"); nid.nid_usermax = DEFUSERMAX; nid.nid_usertimeout = defusertimeout; @@ -190,6 +196,15 @@ main(int argc, char *argv[]) usage(); } nid.nid_usertimeout = defusertimeout = i * 60; + } else if (!strcmp(*argv, "-fromip")) { + if (argc == 1) + usage(); + argc--; + argv++; + if (inet_aton(*argv, &fromip) == 0) { + fprintf(stderr, "Bad -fromip %s\n", *argv); + usage(); + } } else if (nfsuserdcnt == -1) { nfsuserdcnt = atoi(*argv); if (nfsuserdcnt < 1) @@ -458,22 +473,22 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXP u_short sport; struct info info; struct nfsd_idargs nid; - u_int32_t saddr; gid_t grps[NGROUPS]; int ngroup; /* - * Only handle requests from 127.0.0.1 on a reserved port number. + * Only handle requests from 127.0.0.1 on a reserved port number, + * unless the "-fromip" specified a different address. * (Since a reserved port # at localhost implies a client with * local root, there won't be a security breach. This is about * the only case I can think of where a reserved port # means * something.) */ sport = ntohs(transp->xp_raddr.sin_port); - saddr = ntohl(transp->xp_raddr.sin_addr.s_addr); if ((rqstp->rq_proc != NULLPROC && sport >= IPPORT_RESERVED) || - saddr != 0x7f000001) { - syslog(LOG_ERR, "req from ip=0x%x port=%d\n", saddr, sport); + transp->xp_raddr.sin_addr.s_addr != fromip.s_addr) { + syslog(LOG_ERR, "req from ip=%s port=%d\n", + inet_ntoa(transp->xp_raddr.sin_addr), sport); svcerr_weakauth(transp); return; } @@ -721,5 +736,5 @@ usage(void) { errx(1, - "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [n]"); + "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [-fromip xx.xx.xx.xx] [n]"); } --- nfsuserd.8.sav 2015-12-09 19:13:48.173812000 -0500 +++ nfsuserd.8 2015-12-09 19:19:38.522516000 -0500 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD: head/usr.sbin/nfsuserd/nfsuserd.8 276258 2014-12-26 21:56:23Z joel $ .\" -.Dd November 1, 2015 +.Dd December 9, 2015 .Dt NFSUSERD 8 .Os .Sh NAME @@ -37,6 +37,7 @@ services plus support manage-gids for al .Op Fl domain Ar domain_name .Op Fl usertimeout Ar minutes .Op Fl usermax Ar max_cache_size +.Op Fl fromip Ar ip_address .Op Fl verbose .Op Fl force .Op Fl manage-gids @@ -76,6 +77,21 @@ the more kernel memory is used, but the system can afford the memory use, make this the sum of the number of entries in your group and password databases. The default is 200 entries. +.It Fl fromip Ar ip_address +This overrides the default upcall from address of 127.0.0.1. +Although the upcall connection is done to 127.0.0.1, some network +configurations will result in another IP address assigned to the machine +as the from address. +If you get syslog messages like: +.sp +.nf +Dec 9 19:03:20 nfsv4-laptop nfsuserd:[506]: req from ip=131.104.48.17 port=861 +.fi +.sp +then you should use this option to set the from IP address to the one in +the message. +Only do this for IP addresses assigned to the machine this daemon is running +on. .It Fl verbose When set, the server logs a bunch of information to syslog. .It Fl force