Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NFS seems to be not able to restrict IPV6 address range #98567

Closed
astrojhgu opened this issue Sep 23, 2020 · 3 comments
Closed

NFS seems to be not able to restrict IPV6 address range #98567

astrojhgu opened this issue Sep 23, 2020 · 3 comments
Labels
0.kind: bug 6.topic: nixos

Comments

@astrojhgu
Copy link

Describe the bug
A clear and concise description of what the bug is.
In the services.nfs.server.exports option, I specified the IPV4 range as 192.168.1.0/24 and did not specify the ipv6 address. I thought it will automatically forbid access through ipv6. However, I find that I can mount the exported point from a machine with a global IPV6 address and this machine is not in the same subnet with the nfs server.

To Reproduce
Steps to reproduce the behavior:

  1. Set the nfs related options as
services.nfs.server.enable = true;
  	services.nfs.server.exports = ''
    	/export/data1                 192.168.1.0/24 (rw,insecure,no_subtree_check) 
''
  1. check the ipv6 address of the nfs6 server with ip addr
  2. on an external machine that has enabled ipv6, run command
sudo mount '[ipv6 address]:/export/data1' /some/mounting/point
  1. The mounting will succeed.

Expected behavior
A clear and concise description of what you expected to happen.
As I didn't specify the ipv6 options in servers.nfs.server.export, shouldn't it disallow me from mounting the exported fs with a ipv6 address?

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Notify maintainers

Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.4.62, NixOS, 20.03.2913.4bd1938e03e (Markhor)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.6`
 - channels(root): `"nixos-20.03"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
@peterhoeg
Copy link
Member

What happens if you specify an ipv6 network from which to limit access?

@astrojhgu
Copy link
Author 

/export/data1                 192.168.1.0/24 (rw,insecure,no_subtree_check)

I finally find that the space between the subnet address and the options is the root of everything!

I remove this space so that this line becomes

/export/data1                 192.168.1.0/24(rw,insecure,no_subtree_check)

Then everything is OK now.

So dangerous this tricky is!

What happens if you specify an ipv6 network from which to limit access?

@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/how-to-set-access-control-for-nfs-on-ipv6/9110/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug 6.topic: nixos
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@veprbl @peterhoeg @astrojhgu @nixos-discourse