From owner-freebsd-stable@FreeBSD.ORG Thu Jul 3 00:03:44 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A9091157 for ; Thu, 3 Jul 2014 00:03:44 +0000 (UTC) Received: from smtp10.server.rpi.edu (smtp10.server.rpi.edu [128.113.2.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ABA82274 for ; Thu, 3 Jul 2014 00:03:43 +0000 (UTC) Received: from smtp-auth1.server.rpi.edu (route.canit.rpi.edu [128.113.2.231]) by smtp10.server.rpi.edu (8.14.3/8.14.3/Debian-9.4) with ESMTP id s6303fQO001081; Wed, 2 Jul 2014 20:03:42 -0400 Received: from smtp-auth1.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth1.server.rpi.edu (Postfix) with ESMTP id D284C580B9; Wed, 2 Jul 2014 20:03:41 -0400 (EDT) Received: from [129.161.218.128] (jumping-jack-128.dynamic2.rpi.edu [129.161.218.128]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: healer) by smtp-auth1.server.rpi.edu (Postfix) with ESMTPSA id C07E15801C; Wed, 2 Jul 2014 20:03:41 -0400 (EDT) Message-ID: <53B49DDF.6000607@rpi.edu> Date: Wed, 02 Jul 2014 20:03:43 -0400 From: Bob Healey User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: rmacklem@uoguelph.ca, freebsd-stable@freebsd.org Subject: Re: Interactions with mxge, pf, nfsd, and the kernel References: <53B43D90.6000700@rpi.edu> <20140702235052.GA3334@anubis.morrow.me.uk> In-Reply-To: <20140702235052.GA3334@anubis.morrow.me.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 0.00 () [Hold at 15.10] X-CanIt-Incident-Id: 03MlA3GpB X-CanIt-Geo: ip=129.161.218.128; country=US; region=Connecticut; city=Hartford; latitude=41.7637; longitude=-72.6851; http://maps.google.com/maps?q=41.7637,-72.6851&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.230 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 00:03:44 -0000 What I want to do, and is not valid, is zfs set sharenfs="maproot=root,network 128.113.185.0/24, network 128.113.186.0/24,network 10.0.0.0/8" tank/home To get the desired functionality, i have to do zfs set sharenfs="maproot=root,network 0.0.0.0/0" and then set a host level firewall. Bob Healey Systems Administrator Biocomputation and Bioinformatics Constellation and Molecularium healer@rpi.edu (518) 276-4407 On 7/2/2014 7:50 PM, Ben Morrow wrote: > Quoth Rick Macklem : >> Bob Healey wrote: >>>>> 10/8. If there is a way in zfs's sharenfs property to make that >>>>> restriction, I'd be happy to change, but I really don't like >>>>> leaving nfs >>>>> open to the university's quartet of /16's, so PF it is. >> You can specify pretty well any subnet for lines in /etc/exports. >> You can export the file systems via /etc/exports. (I'm not a zfs >> guy, but my understanding is that zfs sharenfs just generates lines >> for the exports file.) > You can specify any exports(5) options in the sharenfs property. See > Example 16 in zfs(8). > > Ben > >