Blame SOURCES/nfs-utils-2.3.3-mountd-v4-logging.patch

0d1c97
diff --git a/nfs.conf b/nfs.conf
0d1c97
index 05247ff9..86ed7d53 100644
0d1c97
--- a/nfs.conf
0d1c97
+++ b/nfs.conf
0d1c97
@@ -38,6 +38,8 @@ use-gss-proxy=1
0d1c97
 # reverse-lookup=n
0d1c97
 # state-directory-path=/var/lib/nfs
0d1c97
 # ha-callout=
0d1c97
+# cache-use-ipaddr=n
0d1c97
+# ttl=1800
0d1c97
 #
0d1c97
 [nfsdcld]
0d1c97
 # debug=0
0d1c97
diff --git a/support/export/Makefile.am b/support/export/Makefile.am
0d1c97
index 13f7a49c..d6ee502f 100644
0d1c97
--- a/support/export/Makefile.am
0d1c97
+++ b/support/export/Makefile.am
0d1c97
@@ -11,7 +11,8 @@ EXTRA_DIST	= mount.x
0d1c97
 
0d1c97
 noinst_LIBRARIES = libexport.a
0d1c97
 libexport_a_SOURCES = client.c export.c hostname.c \
0d1c97
-		      xtab.c mount_clnt.c mount_xdr.c
0d1c97
+		      xtab.c mount_clnt.c mount_xdr.c \
0d1c97
+			  cache.c auth.c v4root.c v4clients.c
0d1c97
 BUILT_SOURCES 	= $(GENFILES)
0d1c97
 
0d1c97
 noinst_HEADERS = mount.h
0d1c97
diff --git a/utils/mountd/auth.c b/support/export/auth.c
0d1c97
similarity index 98%
0d1c97
rename from utils/mountd/auth.c
0d1c97
rename to support/export/auth.c
0d1c97
index 8299256e..73ad6f73 100644
0d1c97
--- a/utils/mountd/auth.c
0d1c97
+++ b/support/export/auth.c
0d1c97
@@ -22,7 +22,7 @@
0d1c97
 #include "misc.h"
0d1c97
 #include "nfslib.h"
0d1c97
 #include "exportfs.h"
0d1c97
-#include "mountd.h"
0d1c97
+#include "export.h"
0d1c97
 #include "v4root.h"
0d1c97
 
0d1c97
 enum auth_error
0d1c97
@@ -43,11 +43,13 @@ extern int use_ipaddr;
0d1c97
 
0d1c97
 extern struct state_paths etab;
0d1c97
 
0d1c97
+/*
0d1c97
 void
0d1c97
 auth_init(void)
0d1c97
 {
0d1c97
 	auth_reload();
0d1c97
 }
0d1c97
+*/
0d1c97
 
0d1c97
 /*
0d1c97
  * A client can match many different netgroups and it's tough to know
0d1c97
@@ -64,6 +66,10 @@ check_useipaddr(void)
0d1c97
 	int old_use_ipaddr = use_ipaddr;
0d1c97
 	unsigned int len = 0;
0d1c97
 
0d1c97
+	if (use_ipaddr > 1)
0d1c97
+		/* fixed - don't check */
0d1c97
+		return;
0d1c97
+
0d1c97
 	/* add length of m_hostname + 1 for the comma */
0d1c97
 	for (clp = clientlist[MCL_NETGROUP]; clp; clp = clp->m_next)
0d1c97
 		len += (strlen(clp->m_hostname) + 1);
0d1c97
diff --git a/utils/mountd/cache.c b/support/export/cache.c
0d1c97
similarity index 95%
0d1c97
rename from utils/mountd/cache.c
0d1c97
rename to support/export/cache.c
0d1c97
index c73e29be..98d50828 100644
0d1c97
--- a/utils/mountd/cache.c
0d1c97
+++ b/support/export/cache.c
0d1c97
@@ -29,21 +29,18 @@
0d1c97
 #include "misc.h"
0d1c97
 #include "nfslib.h"
0d1c97
 #include "exportfs.h"
0d1c97
-#include "mountd.h"
0d1c97
-#include "fsloc.h"
0d1c97
+#include "export.h"
0d1c97
 #include "pseudoflavors.h"
0d1c97
 #include "xcommon.h"
0d1c97
 
0d1c97
+#ifdef HAVE_JUNCTION_SUPPORT
0d1c97
+#include "../../utils/mountd/fsloc.h"
0d1c97
+#endif
0d1c97
+
0d1c97
 #ifdef USE_BLKID
0d1c97
 #include "blkid/blkid.h"
0d1c97
 #endif
0d1c97
 
0d1c97
-/*
0d1c97
- * Invoked by RPC service loop
0d1c97
- */
0d1c97
-void	cache_set_fds(fd_set *fdset);
0d1c97
-int	cache_process_req(fd_set *readfds);
0d1c97
-
0d1c97
 enum nfsd_fsid {
0d1c97
 	FSID_DEV = 0,
0d1c97
 	FSID_NUM,
0d1c97
@@ -63,7 +60,6 @@ enum nfsd_fsid {
0d1c97
  * Record is terminated with newline.
0d1c97
  *
0d1c97
  */
0d1c97
-static int cache_export_ent(char *buf, int buflen, char *domain, struct exportent *exp, char *path);
0d1c97
 
0d1c97
 #define INITIAL_MANAGED_GROUPS 100
0d1c97
 
0d1c97
@@ -81,6 +77,7 @@ static void auth_unix_ip(int f)
0d1c97
 	char class[20];
0d1c97
 	char ipaddr[INET6_ADDRSTRLEN + 1];
0d1c97
 	char *client = NULL;
0d1c97
+	struct addrinfo *ai = NULL;
0d1c97
 	struct addrinfo *tmp = NULL;
0d1c97
 	char buf[RPC_CHAN_BUF_SIZE], *bp;
0d1c97
 	int blen;
0d1c97
@@ -106,21 +103,26 @@ static void auth_unix_ip(int f)
0d1c97
 
0d1c97
 	auth_reload();
0d1c97
 
0d1c97
-	/* addr is a valid, interesting address, find the domain name... */
0d1c97
-	if (!use_ipaddr) {
0d1c97
-		struct addrinfo *ai = NULL;
0d1c97
-
0d1c97
-		ai = client_resolve(tmp->ai_addr);
0d1c97
-		if (ai) {
0d1c97
-			client = client_compose(ai);
0d1c97
-			freeaddrinfo(ai);
0d1c97
-		}
0d1c97
+	/* addr is a valid address, find the domain name... */
0d1c97
+	ai = client_resolve(tmp->ai_addr);
0d1c97
+	if (ai) {
0d1c97
+		client = client_compose(ai);
0d1c97
+		freeaddrinfo(ai);
0d1c97
 	}
0d1c97
+	if (!client)
0d1c97
+		xlog(D_AUTH, "failed authentication for IP %s", ipaddr);
0d1c97
+	else if	(!use_ipaddr)
0d1c97
+		xlog(D_AUTH, "successful authentication for IP %s as %s",
0d1c97
+		     ipaddr, *client ? client : "DEFAULT");
0d1c97
+	else
0d1c97
+		xlog(D_AUTH, "successful authentication for IP %s",
0d1c97
+			     ipaddr);
0d1c97
+
0d1c97
 	bp = buf; blen = sizeof(buf);
0d1c97
 	qword_add(&bp, &blen, "nfsd");
0d1c97
 	qword_add(&bp, &blen, ipaddr);
0d1c97
-	qword_adduint(&bp, &blen, time(0) + DEFAULT_TTL);
0d1c97
-	if (use_ipaddr) {
0d1c97
+	qword_adduint(&bp, &blen, time(0) + default_ttl);
0d1c97
+	if (use_ipaddr && client) {
0d1c97
 		memmove(ipaddr + 1, ipaddr, strlen(ipaddr) + 1);
0d1c97
 		ipaddr[0] = '$';
0d1c97
 		qword_add(&bp, &blen, ipaddr);
0d1c97
@@ -192,7 +194,7 @@ static void auth_unix_gid(int f)
0d1c97
 
0d1c97
 	bp = buf; blen = sizeof(buf);
0d1c97
 	qword_adduint(&bp, &blen, uid);
0d1c97
-	qword_adduint(&bp, &blen, time(0) + DEFAULT_TTL);
0d1c97
+	qword_adduint(&bp, &blen, time(0) + default_ttl);
0d1c97
 	if (rv >= 0) {
0d1c97
 		qword_adduint(&bp, &blen, ngroups);
0d1c97
 		for (i=0; i
0d1c97
@@ -688,7 +690,6 @@ static void nfsd_fh(int f)
0d1c97
 	char *found_path = NULL;
0d1c97
 	nfs_export *exp;
0d1c97
 	int i;
0d1c97
-	int dev_missing = 0;
0d1c97
 	char buf[RPC_CHAN_BUF_SIZE], *bp;
0d1c97
 	int blen;
0d1c97
 
0d1c97
@@ -755,11 +756,6 @@ static void nfsd_fh(int f)
0d1c97
 			if (!is_ipaddr_client(dom)
0d1c97
 					&& !namelist_client_matches(exp, dom))
0d1c97
 				continue;
0d1c97
-			if (exp->m_export.e_mountpoint &&
0d1c97
-			    !is_mountpoint(exp->m_export.e_mountpoint[0]?
0d1c97
-					   exp->m_export.e_mountpoint:
0d1c97
-					   exp->m_export.e_path))
0d1c97
-				dev_missing ++;
0d1c97
 
0d1c97
 			if (!match_fsid(&parsed, exp, path))
0d1c97
 				continue;
0d1c97
@@ -794,7 +790,7 @@ static void nfsd_fh(int f)
0d1c97
 	    !is_mountpoint(found->e_mountpoint[0]?
0d1c97
 			   found->e_mountpoint:
0d1c97
 			   found->e_path)) {
0d1c97
-		/* Cannot export this yet 
0d1c97
+		/* Cannot export this yet
0d1c97
 		 * should log a warning, but need to rate limit
0d1c97
 		   xlog(L_WARNING, "%s not exported as %d not a mountpoint",
0d1c97
 		   found->e_path, found->e_mountpoint);
0d1c97
@@ -802,16 +798,6 @@ static void nfsd_fh(int f)
0d1c97
 		/* FIXME we need to make sure we re-visit this later */
0d1c97
 		goto out;
0d1c97
 	}
0d1c97
-	if (!found && dev_missing) {
0d1c97
-		/* The missing dev could be what we want, so just be
0d1c97
-		 * quite rather than returning stale yet
0d1c97
-		 */
0d1c97
-		goto out;
0d1c97
-	}
0d1c97
-
0d1c97
-	if (found)
0d1c97
-		if (cache_export_ent(buf, sizeof(buf), dom, found, found_path) < 0)
0d1c97
-			found = 0;
0d1c97
 
0d1c97
 	bp = buf; blen = sizeof(buf);
0d1c97
 	qword_add(&bp, &blen, dom);
0d1c97
@@ -831,6 +817,8 @@ static void nfsd_fh(int f)
0d1c97
 	qword_addeol(&bp, &blen);
0d1c97
 	if (blen <= 0 || write(f, buf, bp - buf) != bp - buf)
0d1c97
 		xlog(L_ERROR, "nfsd_fh: error writing reply");
0d1c97
+	if (!found)
0d1c97
+		xlog(D_AUTH, "denied access to %s", *dom == '$' ? dom+1 : dom);
0d1c97
 out:
0d1c97
 	if (found_path)
0d1c97
 		free(found_path);
0d1c97
@@ -839,6 +827,7 @@ out:
0d1c97
 	xlog(D_CALL, "nfsd_fh: found %p path %s", found, found ? found->e_path : NULL);
0d1c97
 }
0d1c97
 
0d1c97
+#ifdef HAVE_JUNCTION_SUPPORT
0d1c97
 static void write_fsloc(char **bp, int *blen, struct exportent *ep)
0d1c97
 {
0d1c97
 	struct servers *servers;
0d1c97
@@ -861,7 +850,7 @@ static void write_fsloc(char **bp, int *blen, struct exportent *ep)
0d1c97
 	qword_addint(bp, blen, servers->h_referral);
0d1c97
 	release_replicas(servers);
0d1c97
 }
0d1c97
-
0d1c97
+#endif
0d1c97
 static void write_secinfo(char **bp, int *blen, struct exportent *ep, int flag_mask)
0d1c97
 {
0d1c97
 	struct sec_entry *p;
0d1c97
@@ -890,7 +879,7 @@ static int dump_to_cache(int f, char *buf, int buflen, char *domain,
0d1c97
 	time_t now = time(0);
0d1c97
 
0d1c97
 	if (ttl <= 1)
0d1c97
-		ttl = DEFAULT_TTL;
0d1c97
+		ttl = default_ttl;
0d1c97
 
0d1c97
 	qword_add(&bp, &blen, domain);
0d1c97
 	qword_add(&bp, &blen, path);
0d1c97
@@ -903,7 +892,10 @@ static int dump_to_cache(int f, char *buf, int buflen, char *domain,
0d1c97
 		qword_addint(&bp, &blen, exp->e_anonuid);
0d1c97
 		qword_addint(&bp, &blen, exp->e_anongid);
0d1c97
 		qword_addint(&bp, &blen, exp->e_fsid);
0d1c97
+
0d1c97
+#ifdef HAVE_JUNCTION_SUPPORT
0d1c97
 		write_fsloc(&bp, &blen, exp);
0d1c97
+#endif
0d1c97
 		write_secinfo(&bp, &blen, exp, flag_mask);
0d1c97
 		if (exp->e_uuid == NULL || different_fs) {
0d1c97
 			char u[16];
0d1c97
@@ -917,8 +909,13 @@ static int dump_to_cache(int f, char *buf, int buflen, char *domain,
0d1c97
 			qword_add(&bp, &blen, "uuid");
0d1c97
 			qword_addhex(&bp, &blen, u, 16);
0d1c97
 		}
0d1c97
-	} else
0d1c97
+		xlog(D_AUTH, "granted access to %s for %s",
0d1c97
+		     path, *domain == '$' ? domain+1 : domain);
0d1c97
+	} else {
0d1c97
 		qword_adduint(&bp, &blen, now + ttl);
0d1c97
+		xlog(D_AUTH, "denied access to %s for %s",
0d1c97
+		     path, *domain == '$' ? domain+1 : domain);
0d1c97
+	}
0d1c97
 	qword_addeol(&bp, &blen);
0d1c97
 	if (blen <= 0) return -1;
0d1c97
 	if (write(f, buf, bp - buf) != bp - buf) return -1;
0d1c97
@@ -1421,6 +1418,40 @@ int cache_process_req(fd_set *readfds)
0d1c97
 	return cnt;
0d1c97
 }
0d1c97
 
0d1c97
+/**
0d1c97
+ * cache_process_loop - process incoming upcalls
0d1c97
+ */
0d1c97
+void cache_process_loop(void)
0d1c97
+{
0d1c97
+	fd_set	readfds;
0d1c97
+	int	selret;
0d1c97
+
0d1c97
+	FD_ZERO(&readfds);
0d1c97
+
0d1c97
+	for (;;) {
0d1c97
+
0d1c97
+		cache_set_fds(&readfds);
0d1c97
+		v4clients_set_fds(&readfds);
0d1c97
+
0d1c97
+		selret = select(FD_SETSIZE, &readfds,
0d1c97
+				(void *) 0, (void *) 0, (struct timeval *) 0);
0d1c97
+
0d1c97
+
0d1c97
+		switch (selret) {
0d1c97
+		case -1:
0d1c97
+			if (errno == EINTR || errno == ECONNREFUSED
0d1c97
+			 || errno == ENETUNREACH || errno == EHOSTUNREACH)
0d1c97
+				continue;
0d1c97
+			xlog(L_ERROR, "my_svc_run() - select: %m");
0d1c97
+			return;
0d1c97
+
0d1c97
+		default:
0d1c97
+			cache_process_req(&readfds);
0d1c97
+			v4clients_process(&readfds);
0d1c97
+		}
0d1c97
+	}
0d1c97
+}
0d1c97
+
0d1c97
 
0d1c97
 /*
0d1c97
  * Give IP->domain and domain+path->options to kernel
0d1c97
diff --git a/support/export/export.h b/support/export/export.h
0d1c97
new file mode 100644
0d1c97
index 00000000..8d5a0d30
0d1c97
--- /dev/null
0d1c97
+++ b/support/export/export.h
0d1c97
@@ -0,0 +1,41 @@
0d1c97
+/*
0d1c97
+ * Copyright (C) 2021 Red Hat <nfs@redhat.com>
0d1c97
+ *
0d1c97
+ * support/export/export.h
0d1c97
+ *
0d1c97
+ * Declarations for export support
0d1c97
+ */
0d1c97
+
0d1c97
+#ifndef EXPORT_H
0d1c97
+#define EXPORT_H
0d1c97
+
0d1c97
+#include "nfslib.h"
0d1c97
+#include "exportfs.h"
0d1c97
+
0d1c97
+unsigned int	auth_reload(void);
0d1c97
+nfs_export *	auth_authenticate(const char *what,
0d1c97
+					const struct sockaddr *caller,
0d1c97
+					const char *path);
0d1c97
+
0d1c97
+void		cache_open(void);
0d1c97
+void		cache_set_fds(fd_set *fdset);
0d1c97
+int		cache_process_req(fd_set *readfds);
0d1c97
+void		cache_process_loop(void);
0d1c97
+
0d1c97
+void		v4clients_init(void);
0d1c97
+void		v4clients_set_fds(fd_set *fdset);
0d1c97
+int		v4clients_process(fd_set *fdset);
0d1c97
+
0d1c97
+struct nfs_fh_len *
0d1c97
+		cache_get_filehandle(nfs_export *exp, int len, char *p);
0d1c97
+int		cache_export(nfs_export *exp, char *path);
0d1c97
+
0d1c97
+bool ipaddr_client_matches(nfs_export *exp, struct addrinfo *ai);
0d1c97
+bool namelist_client_matches(nfs_export *exp, char *dom);
0d1c97
+bool client_matches(nfs_export *exp, char *dom, struct addrinfo *ai);
0d1c97
+
0d1c97
+static inline bool is_ipaddr_client(char *dom)
0d1c97
+{
0d1c97
+	return dom[0] == '$';
0d1c97
+}
0d1c97
+#endif /* EXPORT__H */
0d1c97
diff --git a/support/export/v4clients.c b/support/export/v4clients.c
0d1c97
new file mode 100644
0d1c97
index 00000000..dd985463
0d1c97
--- /dev/null
0d1c97
+++ b/support/export/v4clients.c
0d1c97
@@ -0,0 +1,227 @@
0d1c97
+/*
0d1c97
+ * support/export/v4clients.c
0d1c97
+ *
0d1c97
+ * Montior clients appearing in, and disappearing from, /proc/fs/nfsd/clients
0d1c97
+ * and log relevant information.
0d1c97
+ */
0d1c97
+
0d1c97
+#include <unistd.h>
0d1c97
+#include <stdlib.h>
0d1c97
+#include <sys/inotify.h>
0d1c97
+#include <errno.h>
0d1c97
+#include "export.h"
0d1c97
+
0d1c97
+/* search.h declares 'struct entry' and nfs_prot.h
0d1c97
+ * does too.  Easiest fix is to trick search.h into
0d1c97
+ * calling its struct "struct Entry".
0d1c97
+ */
0d1c97
+#define entry Entry
0d1c97
+#include <search.h>
0d1c97
+#undef entry
0d1c97
+
0d1c97
+static int clients_fd = -1;
0d1c97
+
0d1c97
+void v4clients_init(void)
0d1c97
+{
0d1c97
+	if (clients_fd >= 0)
0d1c97
+		return;
0d1c97
+	clients_fd = inotify_init1(IN_NONBLOCK);
0d1c97
+	if (clients_fd < 0) {
0d1c97
+		xlog_err("Unable to initialise v4clients watcher: %s\n",
0d1c97
+			 strerror(errno));
0d1c97
+		return;
0d1c97
+	}
0d1c97
+	if (inotify_add_watch(clients_fd, "/proc/fs/nfsd/clients",
0d1c97
+			      IN_CREATE | IN_DELETE) < 0) {
0d1c97
+		xlog_err("Unable to watch /proc/fs/nfsd/clients: %s\n",
0d1c97
+			 strerror(errno));
0d1c97
+		close(clients_fd);
0d1c97
+		clients_fd = -1;
0d1c97
+		return;
0d1c97
+	}
0d1c97
+}
0d1c97
+
0d1c97
+void v4clients_set_fds(fd_set *fdset)
0d1c97
+{
0d1c97
+	if (clients_fd >= 0)
0d1c97
+		FD_SET(clients_fd, fdset);
0d1c97
+}
0d1c97
+
0d1c97
+static void *tree_root;
0d1c97
+static int have_unconfirmed;
0d1c97
+
0d1c97
+struct ent {
0d1c97
+	unsigned long num;
0d1c97
+	char *clientid;
0d1c97
+	char *addr;
0d1c97
+	int vers;
0d1c97
+	int unconfirmed;
0d1c97
+	int wid;
0d1c97
+};
0d1c97
+
0d1c97
+static int ent_cmp(const void *av, const void *bv)
0d1c97
+{
0d1c97
+	const struct ent *a = av;
0d1c97
+	const struct ent *b = bv;
0d1c97
+
0d1c97
+	if (a->num < b->num)
0d1c97
+		return -1;
0d1c97
+	if (a->num > b->num)
0d1c97
+		return 1;
0d1c97
+	return 0;
0d1c97
+}
0d1c97
+
0d1c97
+static void free_ent(struct ent *ent)
0d1c97
+{
0d1c97
+	free(ent->clientid);
0d1c97
+	free(ent->addr);
0d1c97
+	free(ent);
0d1c97
+}
0d1c97
+
0d1c97
+static char *dup_line(char *line)
0d1c97
+{
0d1c97
+	char *ret;
0d1c97
+	char *e = strchr(line, '\n');
0d1c97
+	if (!e)
0d1c97
+		e = line + strlen(line);
0d1c97
+	ret = malloc(e - line + 1);
0d1c97
+	if (ret) {
0d1c97
+		memcpy(ret, line, e - line);
0d1c97
+		ret[e-line] = 0;
0d1c97
+	}
0d1c97
+	return ret;
0d1c97
+}
0d1c97
+
0d1c97
+static void read_info(struct ent *key)
0d1c97
+{
0d1c97
+	char buf[2048];
0d1c97
+	char *path;
0d1c97
+	int was_unconfirmed = key->unconfirmed;
0d1c97
+	FILE *f;
0d1c97
+
0d1c97
+	if (asprintf(&path, "/proc/fs/nfsd/clients/%lu/info", key->num) < 0)
0d1c97
+		return;
0d1c97
+
0d1c97
+	f = fopen(path, "r");
0d1c97
+	if (!f) {
0d1c97
+		free(path);
0d1c97
+		return;
0d1c97
+	}
0d1c97
+	if (key->wid < 0)
0d1c97
+		key->wid = inotify_add_watch(clients_fd, path, IN_MODIFY);
0d1c97
+
0d1c97
+	while (fgets(buf, sizeof(buf), f)) {
0d1c97
+		if (strncmp(buf, "clientid: ", 10) == 0) {
0d1c97
+			free(key->clientid);
0d1c97
+			key->clientid = dup_line(buf+10);
0d1c97
+		}
0d1c97
+		if (strncmp(buf, "address: ", 9) == 0) {
0d1c97
+			free(key->addr);
0d1c97
+			key->addr = dup_line(buf+9);
0d1c97
+		}
0d1c97
+		if (strncmp(buf, "minor version: ", 15) == 0)
0d1c97
+			key->vers = atoi(buf+15);
0d1c97
+		if (strncmp(buf, "status: ", 8) == 0 &&
0d1c97
+		    strstr(buf, " unconfirmed") != NULL) {
0d1c97
+			key->unconfirmed = 1;
0d1c97
+			have_unconfirmed = 1;
0d1c97
+		}
0d1c97
+		if (strncmp(buf, "status: ", 8) == 0 &&
0d1c97
+		    strstr(buf, " confirmed") != NULL)
0d1c97
+			key->unconfirmed = 0;
0d1c97
+	}
0d1c97
+	fclose(f);
0d1c97
+	free(path);
0d1c97
+
0d1c97
+	if (was_unconfirmed && !key->unconfirmed)
0d1c97
+		xlog(L_NOTICE, "v4.%d client attached: %s from %s",
0d1c97
+		     key->vers, key->clientid ?: "-none-",
0d1c97
+		     key->addr ?: "-none-");
0d1c97
+	if (!key->unconfirmed && key->wid >= 0) {
0d1c97
+		inotify_rm_watch(clients_fd, key->wid);
0d1c97
+		key->wid = -1;
0d1c97
+	}
0d1c97
+}
0d1c97
+
0d1c97
+static void add_id(int id)
0d1c97
+{
0d1c97
+	struct ent **ent;
0d1c97
+	struct ent *key;
0d1c97
+
0d1c97
+	key = calloc(1, sizeof(*key));
0d1c97
+	if (!key) {
0d1c97
+		return;
0d1c97
+	}
0d1c97
+	key->num = id;
0d1c97
+	key->wid = -1;
0d1c97
+
0d1c97
+	ent = tsearch(key, &tree_root, ent_cmp);
0d1c97
+
0d1c97
+	if (!ent || *ent != key)
0d1c97
+		/* Already existed, or insertion failed */
0d1c97
+		free_ent(key);
0d1c97
+	else
0d1c97
+		read_info(key);
0d1c97
+}
0d1c97
+
0d1c97
+static void del_id(unsigned long id)
0d1c97
+{
0d1c97
+	struct ent key = {.num = id};
0d1c97
+	struct ent **e, *ent;
0d1c97
+
0d1c97
+	e = tfind(&key, &tree_root, ent_cmp);
0d1c97
+	if (!e || !*e)
0d1c97
+		return;
0d1c97
+	ent = *e;
0d1c97
+	tdelete(ent, &tree_root, ent_cmp);
0d1c97
+	if (!ent->unconfirmed)
0d1c97
+		xlog(L_NOTICE, "v4.%d client detached: %s from %s",
0d1c97
+		     ent->vers, ent->clientid, ent->addr);
0d1c97
+	if (ent->wid >= 0)
0d1c97
+		inotify_rm_watch(clients_fd, ent->wid);
0d1c97
+	free_ent(ent);
0d1c97
+}
0d1c97
+
0d1c97
+static void check_id(unsigned long id)
0d1c97
+{
0d1c97
+	struct ent key = {.num = id};
0d1c97
+	struct ent **e, *ent;
0d1c97
+
0d1c97
+	e = tfind(&key, &tree_root, ent_cmp);
0d1c97
+	if (!e || !*e)
0d1c97
+		return;
0d1c97
+	ent = *e;
0d1c97
+	if (ent->unconfirmed)
0d1c97
+		read_info(ent);
0d1c97
+}
0d1c97
+
0d1c97
+int v4clients_process(fd_set *fdset)
0d1c97
+{
0d1c97
+	char buf[4096] __attribute__((aligned(__alignof__(struct inotify_event))));
0d1c97
+	const struct inotify_event *ev;
0d1c97
+	ssize_t len;
0d1c97
+	char *ptr;
0d1c97
+
0d1c97
+	if (clients_fd < 0 ||
0d1c97
+	    !FD_ISSET(clients_fd, fdset))
0d1c97
+		return 0;
0d1c97
+
0d1c97
+	while ((len = read(clients_fd, buf, sizeof(buf))) > 0) {
0d1c97
+		for (ptr = buf; ptr < buf + len;
0d1c97
+		     ptr += sizeof(struct inotify_event) + ev->len) {
0d1c97
+			int id;
0d1c97
+			ev = (const struct inotify_event *)ptr;
0d1c97
+
0d1c97
+			id = atoi(ev->name);
0d1c97
+			if (id <= 0)
0d1c97
+				continue;
0d1c97
+			if (ev->mask & IN_CREATE)
0d1c97
+				add_id(id);
0d1c97
+			if (ev->mask & IN_DELETE)
0d1c97
+				del_id(id);
0d1c97
+			if (ev->mask & IN_MODIFY)
0d1c97
+				check_id(id);
0d1c97
+		}
0d1c97
+	}
0d1c97
+	return 1;
0d1c97
+}
0d1c97
diff --git a/utils/mountd/v4root.c b/support/export/v4root.c
0d1c97
similarity index 99%
0d1c97
rename from utils/mountd/v4root.c
0d1c97
rename to support/export/v4root.c
0d1c97
index 8ec33fb0..4d33117f 100644
0d1c97
--- a/utils/mountd/v4root.c
0d1c97
+++ b/support/export/v4root.c
0d1c97
@@ -47,7 +47,7 @@ static nfs_export pseudo_root = {
0d1c97
 		.e_nsqgids = 0,
0d1c97
 		.e_fsid = 0,
0d1c97
 		.e_mountpoint = NULL,
0d1c97
-		.e_ttl = DEFAULT_TTL,
0d1c97
+		.e_ttl = 0,
0d1c97
 	},
0d1c97
 	.m_exported = 0,
0d1c97
 	.m_xtabent = 1,
0d1c97
@@ -86,6 +86,7 @@ v4root_create(char *path, nfs_export *export)
0d1c97
 	struct exportent *curexp = &export->m_export;
0d1c97
 
0d1c97
 	dupexportent(&eep, &pseudo_root.m_export);
0d1c97
+	eep.e_ttl = default_ttl;
0d1c97
 	eep.e_hostname = curexp->e_hostname;
0d1c97
 	strncpy(eep.e_path, path, sizeof(eep.e_path)-1);
0d1c97
 	if (strcmp(path, "/") != 0)
0d1c97
diff --git a/support/include/exportfs.h b/support/include/exportfs.h
0d1c97
index 4e0d9d13..bfae1957 100644
0d1c97
--- a/support/include/exportfs.h
0d1c97
+++ b/support/include/exportfs.h
0d1c97
@@ -105,7 +105,8 @@ typedef struct mexport {
0d1c97
 } nfs_export;
0d1c97
 
0d1c97
 #define HASH_TABLE_SIZE 1021
0d1c97
-#define DEFAULT_TTL	(30 * 60)
0d1c97
+
0d1c97
+extern int default_ttl;
0d1c97
 
0d1c97
 typedef struct _exp_hash_entry {
0d1c97
 	nfs_export * p_first;
0d1c97
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
0d1c97
index a7582cae..4dd2e5d3 100644
0d1c97
--- a/support/nfs/exports.c
0d1c97
+++ b/support/nfs/exports.c
0d1c97
@@ -47,6 +47,8 @@ struct flav_info flav_map[] = {
0d1c97
 
0d1c97
 const int flav_map_size = sizeof(flav_map)/sizeof(flav_map[0]);
0d1c97
 
0d1c97
+int default_ttl = 30 * 60;
0d1c97
+
0d1c97
 static char	*efname = NULL;
0d1c97
 static XFILE	*efp = NULL;
0d1c97
 static int	first;
0d1c97
@@ -100,7 +102,7 @@ static void init_exportent (struct exportent *ee, int fromkernel)
0d1c97
 	ee->e_nsquids = 0;
0d1c97
 	ee->e_nsqgids = 0;
0d1c97
 	ee->e_uuid = NULL;
0d1c97
-	ee->e_ttl = DEFAULT_TTL;
0d1c97
+	ee->e_ttl = default_ttl;
0d1c97
 }
0d1c97
 
0d1c97
 struct exportent *
0d1c97
diff --git a/systemd/nfs.conf.man b/systemd/nfs.conf.man
0d1c97
index 498d93a9..aa4630bb 100644
0d1c97
--- a/systemd/nfs.conf.man
0d1c97
+++ b/systemd/nfs.conf.man
0d1c97
@@ -157,6 +157,8 @@ Recognized values:
0d1c97
 .BR port ,
0d1c97
 .BR threads ,
0d1c97
 .BR reverse-lookup ,
0d1c97
+.BR cache-use-upaddr ,
0d1c97
+.BR ttl ,
0d1c97
 .BR state-directory-path ,
0d1c97
 .BR ha-callout .
0d1c97
 
0d1c97
@@ -166,6 +168,14 @@ section, are used to configure mountd.  See
0d1c97
 .BR rpc.mountd (8)
0d1c97
 for details.
0d1c97
 
0d1c97
+Note that setting 
0d1c97
+.B "\[dq]debug = auth\[dq]"
0d1c97
+for
0d1c97
+.B mountd
0d1c97
+is equivalent to providing the
0d1c97
+.B \-\-log\-auth
0d1c97
+option.
0d1c97
+
0d1c97
 The
0d1c97
 .B state-directory-path
0d1c97
 value in the
0d1c97
diff --git a/utils/mountd/Makefile.am b/utils/mountd/Makefile.am
0d1c97
index 73eeb3f3..c41f06de 100644
0d1c97
--- a/utils/mountd/Makefile.am
0d1c97
+++ b/utils/mountd/Makefile.am
0d1c97
@@ -13,8 +13,8 @@ KPREFIX		= @kprefix@
0d1c97
 sbin_PROGRAMS	= mountd
0d1c97
 
0d1c97
 noinst_HEADERS = fsloc.h
0d1c97
-mountd_SOURCES = mountd.c mount_dispatch.c auth.c rmtab.c cache.c \
0d1c97
-		 svc_run.c fsloc.c v4root.c mountd.h
0d1c97
+mountd_SOURCES = mountd.c mount_dispatch.c rmtab.c \
0d1c97
+		 svc_run.c fsloc.c mountd.h
0d1c97
 mountd_LDADD = ../../support/export/libexport.a \
0d1c97
 	       ../../support/nfs/libnfs.la \
0d1c97
 	       ../../support/misc/libmisc.a \
0d1c97
diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c
0d1c97
index 0b891121..2b342377 100644
0d1c97
--- a/utils/mountd/mountd.c
0d1c97
+++ b/utils/mountd/mountd.c
0d1c97
@@ -30,6 +30,7 @@
0d1c97
 #include "rpcmisc.h"
0d1c97
 #include "pseudoflavors.h"
0d1c97
 #include "nfslib.h"
0d1c97
+#include "export.h"
0d1c97
 
0d1c97
 extern void my_svc_run(void);
0d1c97
 
0d1c97
@@ -73,8 +74,12 @@ static struct option longopts[] =
0d1c97
 	{ "reverse-lookup", 0, 0, 'r' },
0d1c97
 	{ "manage-gids", 0, 0, 'g' },
0d1c97
 	{ "no-udp", 0, 0, 'u' },
0d1c97
+	{ "log-auth", 0, 0, 'l'},
0d1c97
+	{ "cache-use-ipaddr", 0, 0, 'i'},
0d1c97
+	{ "ttl", 1, 0, 'T'},
0d1c97
 	{ NULL, 0, 0, 0 }
0d1c97
 };
0d1c97
+static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:";
0d1c97
 
0d1c97
 #define NFSVERSBIT(vers)	(0x1 << (vers - 1))
0d1c97
 #define NFSVERSBIT_ALL		(NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4))
0d1c97
@@ -669,6 +674,7 @@ main(int argc, char **argv)
0d1c97
 	int	port = 0;
0d1c97
 	int	descriptors = 0;
0d1c97
 	int	c;
0d1c97
+	int	ttl;
0d1c97
 	int	vers;
0d1c97
 	struct sigaction sa;
0d1c97
 	struct rlimit rlim;
0d1c97
@@ -687,6 +693,8 @@ main(int argc, char **argv)
0d1c97
 	num_threads = conf_get_num("mountd", "threads", num_threads);
0d1c97
 	reverse_resolve = conf_get_bool("mountd", "reverse-lookup", reverse_resolve);
0d1c97
 	ha_callout_prog = conf_get_str("mountd", "ha-callout");
0d1c97
+	if (conf_get_bool("mountd", "cache-use-ipaddr", 0))
0d1c97
+		use_ipaddr = 2;
0d1c97
 
0d1c97
 	s = conf_get_str("mountd", "state-directory-path");
0d1c97
 	if (s && !state_setup_basedir(argv[0], s))
0d1c97
@@ -710,10 +718,13 @@ main(int argc, char **argv)
0d1c97
 			NFSCTL_VERUNSET(nfs_version, vers);
0d1c97
 	}
0d1c97
 
0d1c97
+	ttl = conf_get_num("mountd", "ttl", default_ttl);
0d1c97
+	if (ttl > 0)
0d1c97
+		default_ttl = ttl;
0d1c97
 
0d1c97
 	/* Parse the command line options and arguments. */
0d1c97
 	opterr = 0;
0d1c97
-	while ((c = getopt_long(argc, argv, "o:nFd:p:P:hH:N:V:vurs:t:g", longopts, NULL)) != EOF)
0d1c97
+	while ((c = getopt_long(argc, argv, shortopts, longopts, NULL)) != EOF)
0d1c97
 		switch (c) {
0d1c97
 		case 'g':
0d1c97
 			manage_gids = 1;
0d1c97
@@ -784,6 +795,21 @@ main(int argc, char **argv)
0d1c97
 		case 'u':
0d1c97
 			NFSCTL_UDPUNSET(_rpcprotobits);
0d1c97
 			break;
0d1c97
+		case 'l':
0d1c97
+			xlog_sconfig("auth", 1);
0d1c97
+			break;
0d1c97
+		case 'i':
0d1c97
+			use_ipaddr = 2;
0d1c97
+			break;
0d1c97
+		case 'T':
0d1c97
+			ttl = atoi(optarg);
0d1c97
+			if (ttl <= 0) {
0d1c97
+				fprintf(stderr, "%s: bad ttl number of seconds: %s\n",
0d1c97
+					argv[0], optarg);
0d1c97
+				usage(argv[0], 1);
0d1c97
+			}
0d1c97
+			default_ttl = ttl;
0d1c97
+			break;
0d1c97
 		case 0:
0d1c97
 			break;
0d1c97
 		case '?':
0d1c97
@@ -888,6 +914,8 @@ main(int argc, char **argv)
0d1c97
 	if (num_threads > 1)
0d1c97
 		fork_workers();
0d1c97
 
0d1c97
+	v4clients_init();
0d1c97
+
0d1c97
 	xlog(L_NOTICE, "Version " VERSION " starting");
0d1c97
 	my_svc_run();
0d1c97
 
0d1c97
@@ -903,6 +931,7 @@ usage(const char *prog, int n)
0d1c97
 {
0d1c97
 	fprintf(stderr,
0d1c97
 "Usage: %s [-F|--foreground] [-h|--help] [-v|--version] [-d kind|--debug kind]\n"
0d1c97
+"	[-l|--log-auth] [-i|--cache-use-ipaddr] [-T|--ttl ttl]\n"
0d1c97
 "	[-o num|--descriptors num]\n"
0d1c97
 "	[-p|--port port] [-V version|--nfs-version version]\n"
0d1c97
 "	[-N version|--no-nfs-version version] [-n|--no-tcp]\n"
0d1c97
diff --git a/utils/mountd/mountd.h b/utils/mountd/mountd.h
0d1c97
index f058f01d..d3077531 100644
0d1c97
--- a/utils/mountd/mountd.h
0d1c97
+++ b/utils/mountd/mountd.h
0d1c97
@@ -60,9 +60,4 @@ bool ipaddr_client_matches(nfs_export *exp, struct addrinfo *ai);
0d1c97
 bool namelist_client_matches(nfs_export *exp, char *dom);
0d1c97
 bool client_matches(nfs_export *exp, char *dom, struct addrinfo *ai);
0d1c97
 
0d1c97
-static inline bool is_ipaddr_client(char *dom)
0d1c97
-{
0d1c97
-	return dom[0] == '$';
0d1c97
-}
0d1c97
-
0d1c97
 #endif /* MOUNTD_H */
0d1c97
diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
0d1c97
index 8a7943f8..2a91e193 100644
0d1c97
--- a/utils/mountd/mountd.man
0d1c97
+++ b/utils/mountd/mountd.man
0d1c97
@@ -13,24 +13,24 @@ The
0d1c97
 .B rpc.mountd
0d1c97
 daemon implements the server side of the NFS MOUNT protocol,
0d1c97
 an NFS side protocol used by NFS version 2 [RFC1094] and NFS version 3 [RFC1813].
0d1c97
+It also responds to requests from the Linux kernel to authenticate
0d1c97
+clients and provides details of access permissions.
0d1c97
 .PP
0d1c97
-An NFS server maintains a table of local physical file systems
0d1c97
-that are accessible to NFS clients.
0d1c97
-Each file system in this table is referred to as an
0d1c97
-.IR "exported file system" ,
0d1c97
-or
0d1c97
-.IR export ,
0d1c97
-for short.
0d1c97
-.PP
0d1c97
-Each file system in the export table has an access control list.
0d1c97
-.B rpc.mountd
0d1c97
-uses these access control lists to determine
0d1c97
-whether an NFS client is permitted to access a given file system.
0d1c97
-For details on how to manage your NFS server's export table, see the
0d1c97
-.BR exports (5)
0d1c97
-and
0d1c97
-.BR exportfs (8)
0d1c97
-man pages.
0d1c97
+The NFS server
0d1c97
+.RI ( nfsd )
0d1c97
+maintains a cache of authentication and authorization information which
0d1c97
+is used to identify the source of each request, and then what access
0d1c97
+permissions that source has to any local filesystem.  When required
0d1c97
+information is not found in the cache, the server sends a request to
0d1c97
+.B mountd
0d1c97
+to fill in the missing information.  Mountd uses a table of information
0d1c97
+stored in
0d1c97
+.B /var/lib/nfs/etab
0d1c97
+and maintained by
0d1c97
+.BR exportfs (8),
0d1c97
+possibly based on the contents of 
0d1c97
+.BR exports (5),
0d1c97
+to respond to each request.
0d1c97
 .SS Mounting exported NFS File Systems
0d1c97
 The NFS MOUNT protocol has several procedures.
0d1c97
 The most important of these are
0d1c97
@@ -78,11 +78,69 @@ A client may continue accessing an export even after invoking UMNT.
0d1c97
 If the client reboots without sending a UMNT request, stale entries
0d1c97
 remain for that client in
0d1c97
 .IR /var/lib/nfs/rmtab .
0d1c97
+.SS Mounting File Systems with NFSv4
0d1c97
+Version 4 (and later) of NFS does not use a separate NFS MOUNT
0d1c97
+protocol.  Instead mounting is performed using regular NFS requests
0d1c97
+handled by the NFS server in the Linux kernel
0d1c97
+.RI ( nfsd ).
0d1c97
+Consequently
0d1c97
+.I /var/lib/nfs/rmtab
0d1c97
+is not updated to reflect any NFSv4 activity.
0d1c97
 .SH OPTIONS
0d1c97
 .TP
0d1c97
 .B \-d kind " or " \-\-debug kind
0d1c97
 Turn on debugging. Valid kinds are: all, auth, call, general and parse.
0d1c97
 .TP
0d1c97
+.BR \-l " or " \-\-log\-auth
0d1c97
+Enable logging of responses to authentication and access requests from
0d1c97
+nfsd.  Each response is then cached by the kernel for 30 minutes (or as set by
0d1c97
+.B \-\-ttl
0d1c97
+below), and will be refreshed after 15 minutes (half the ttl time) if
0d1c97
+the relevant client remains active.
0d1c97
+Note that
0d1c97
+.B -l
0d1c97
+is equivalent to
0d1c97
+.B "-d auth"
0d1c97
+and so can be enabled in
0d1c97
+.B /etc/nfs.conf
0d1c97
+with
0d1c97
+.B "\[dq]debug = auth\[dq]"
0d1c97
+in the
0d1c97
+.B "[mountd]"
0d1c97
+section.
0d1c97
+.IP
0d1c97
+.B rpc.mountd
0d1c97
+will always log authentication responses to MOUNT requests when NFSv3 is
0d1c97
+used, but to get similar logs for NFSv4, this option is required.
0d1c97
+.TP
0d1c97
+.BR \-i " or " \-\-cache\-use\-ipaddr
0d1c97
+Normally each client IP address is matched against each host identifier
0d1c97
+(name, wildcard, netgroup etc) found in
0d1c97
+.B /etc/exports
0d1c97
+and a combined identity is formed from all matching identifiers.
0d1c97
+Often many clients will map to the same combined identity so performing
0d1c97
+this mapping reduces the number of distinct access details that the
0d1c97
+kernel needs to store.
0d1c97
+Specifying the
0d1c97
+.B \-i
0d1c97
+option suppresses this mapping so that access to each filesystem is
0d1c97
+requested and cached separately for each client IP address.  Doing this
0d1c97
+can increase the burden of updating the cache slightly, but can make the
0d1c97
+log messages produced by the
0d1c97
+.B -l
0d1c97
+option easier to read.
0d1c97
+.TP
0d1c97
+.B \-T " or " \-\-ttl
0d1c97
+Provide a time-to-live (TTL) for cached information given to the kernel.
0d1c97
+The kernel will normally request an update if the information is needed
0d1c97
+after half of this time has expired.  Increasing the provided number,
0d1c97
+which is in seconds, reduces the rate of cache update requests, and this
0d1c97
+is particularly noticeable when these requests are logged with
0d1c97
+.BR \-l .
0d1c97
+However increasing also means that changes to hostname to address
0d1c97
+mappings can take longer to be noticed.
0d1c97
+The default TTL is 1800 (30 minutes).
0d1c97
+.TP
0d1c97
 .B \-F " or " \-\-foreground
0d1c97
 Run in foreground (do not daemonize)
0d1c97
 .TP
0d1c97
@@ -213,9 +271,11 @@ Values recognized in the
0d1c97
 .B [mountd]
0d1c97
 section include
0d1c97
 .BR manage-gids ,
0d1c97
+.BR cache\-use\-ipaddr ,
0d1c97
 .BR descriptors ,
0d1c97
 .BR port ,
0d1c97
 .BR threads ,
0d1c97
+.BR ttl ,
0d1c97
 .BR reverse-lookup ", and"
0d1c97
 .BR state-directory-path ,
0d1c97
 .B ha-callout
0d1c97
@@ -265,5 +325,9 @@ table of clients accessing server's exports
0d1c97
 RFC 1094 - "NFS: Network File System Protocol Specification"
0d1c97
 .br
0d1c97
 RFC 1813 - "NFS Version 3 Protocol Specification"
0d1c97
+.br
0d1c97
+RFC 7530 - "Network File System (NFS) Version 4 Protocol"
0d1c97
+.br
0d1c97
+RFC 8881 - "Network File System (NFS) Version 4 Minor Version 1 Protocol"
0d1c97
 .SH AUTHOR
0d1c97
 Olaf Kirch, H. J. Lu, G. Allan Morris III, and a host of others.
0d1c97
diff --git a/utils/mountd/svc_run.c b/utils/mountd/svc_run.c
0d1c97
index 41b96d7f..167b9757 100644
0d1c97
--- a/utils/mountd/svc_run.c
0d1c97
+++ b/utils/mountd/svc_run.c
0d1c97
@@ -56,10 +56,9 @@
0d1c97
 #ifdef HAVE_LIBTIRPC
0d1c97
 #include <rpc/rpc_com.h>
0d1c97
 #endif
0d1c97
+#include "export.h"
0d1c97
 
0d1c97
 void my_svc_run(void);
0d1c97
-void cache_set_fds(fd_set *fdset);
0d1c97
-int cache_process_req(fd_set *readfds);
0d1c97
 
0d1c97
 #if defined(__GLIBC__) && LONG_MAX != INT_MAX
0d1c97
 /* bug in glibc 2.3.6 and earlier, we need
0d1c97
@@ -101,6 +100,7 @@ my_svc_run(void)
0d1c97
 
0d1c97
 		readfds = svc_fdset;
0d1c97
 		cache_set_fds(&readfds);
0d1c97
+		v4clients_set_fds(&readfds);
0d1c97
 
0d1c97
 		selret = select(FD_SETSIZE, &readfds,
0d1c97
 				(void *) 0, (void *) 0, (struct timeval *) 0);
0d1c97
@@ -116,6 +116,7 @@ my_svc_run(void)
0d1c97
 
0d1c97
 		default:
0d1c97
 			selret -= cache_process_req(&readfds);
0d1c97
+			selret -= v4clients_process(&readfds);
0d1c97
 			if (selret)
0d1c97
 				svc_getreqset(&readfds);
0d1c97
 		}