From owner-freebsd-hackers@freebsd.org  Wed Feb 20 15:00:32 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14C1414F6321
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed, 20 Feb 2019 15:00:32 +0000 (UTC) (envelope-from ian@freebsd.org)
Received: from outbound1a.eu.mailhop.org (outbound1a.eu.mailhop.org
 [52.58.109.202])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4521484423
 for <freebsd-hackers@freebsd.org>; Wed, 20 Feb 2019 15:00:31 +0000 (UTC)
 (envelope-from ian@freebsd.org)
ARC-Seal: i=1; a=rsa-sha256; t=1550674824; cv=none;
 d=outbound.mailhop.org; s=arc-outbound20181012;
 b=Zbm6g1gVMCR31zINodQ7DGSZ7hDTdiKSds+BASiUzXM47KNo7ya6Vj0dg/NkpfmkyKVaNs0X+0MMq
 wlolkl4M2un6VVusV59racYm9zcT9/DTSNppg+mBKWeBLmjmGHKnUBp3o1AxswZ5ER9osudxxnXnbS
 aaFG0jIQCTEey3jfBSmJ88BePVn1BJRCCX4H92qngupqOwUBJHqNNpYmEbEib7sWIgLZniwtsyv5pF
 QOejvxLRmhbjWIkgA0ofKapNKzLhtvsEaLy49T3BAnlX7h3TBxkkboiwbzkPslicJPNWrl7bkThUGE
 VQgzqtmLcEfA3mM0VqK7zWFMzYLgGbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=outbound.mailhop.org; s=arc-outbound20181012;
 h=content-transfer-encoding:mime-version:content-type:references:in-reply-to:
 date:to:from:subject:message-id:dkim-signature:from;
 bh=dbusCp+vcRolvSHoFQIBkHGsD+q6W61FsOmRmH70dwE=;
 b=HTxdIlBcQ/zf+IvALHbZG1z3eeoTrI3VvRxStBzBIYOiHyDgpSlCWh817zTEujaOvtn9iNX1uUaJP
 Hjr6kGTHDO8YglWpl6yDAGmXhc9mRZohVOR4npotXorCNvwKdF5AVadjZ7hn6RKmCRy57YzWIzVps2
 liQ4MRBSBkdBS+v3ef8oiurqKN7oxEmY495Jm6WS9vKJ5aPbeTp7eWsis9GwLXvd1pEdrveyUp5vKy
 DU3URjzmRIuT73FKh4KGFopcY+FPjV+1D4rhYK276S7I5NuvMfzhh50Ed6zes6PMb77QqNnMQ+RCl5
 ypt45nKvG7ferQgXjHWDTHxws+MFRWA==
ARC-Authentication-Results: i=1; outbound2.eu.mailhop.org;
 spf=softfail smtp.mailfrom=freebsd.org smtp.remote-ip=67.177.211.60;
 dmarc=none header.from=freebsd.org;
 arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=outbound.mailhop.org; s=dkim-high;
 h=content-transfer-encoding:mime-version:content-type:references:in-reply-to:
 date:to:from:subject:message-id:from;
 bh=dbusCp+vcRolvSHoFQIBkHGsD+q6W61FsOmRmH70dwE=;
 b=EXIK58FVwQ1pap2DY30gs4J533dF3FE4uNJaffky23JoX0SBll//rPZvV+5JWwVnW80IY/FD8f9EY
 I/tbUgYwO0NOYyaNOnOURTFGzrKUREpXsKO5ACtzVvFumtm3tOcT1jHGSIjgVLoVRSbVvMo6BYu1Tl
 lG9NkZYZsuiLU0ITMDwgExX8i9xrey/+BvhTUBO+WFtwCtdGGPQv3IcE0st+VTm0NKNRiFjX924GsQ
 grW88Wg/hyAjhGVoZXApgu97D3JJ2Ilw76m6I6sRUtEp8SmvZhFhFP2i14HAwFbO6V5Hr4N4YVp95f
 iqIAzv6LX1RrBKKbHQaCsWxK1T5QtpQ==
X-MHO-RoutePath: aGlwcGll
X-MHO-User: 3b7e7960-3520-11e9-803b-31925da7267c
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 67.177.211.60
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from ilsoft.org (unknown [67.177.211.60])
 by outbound2.eu.mailhop.org (Halon) with ESMTPSA
 id 3b7e7960-3520-11e9-803b-31925da7267c;
 Wed, 20 Feb 2019 15:00:17 +0000 (UTC)
Received: from rev (rev [172.22.42.240])
 by ilsoft.org (8.15.2/8.15.2) with ESMTP id x1KF0F9o084326;
 Wed, 20 Feb 2019 08:00:16 -0700 (MST) (envelope-from ian@freebsd.org)
Message-ID: <877baa2abd2c062a389b88e66dd67f1fba032e93.camel@freebsd.org>
Subject: Re: userland process rpc.lockd opens untraceable ports...is
 something wrong here?
From: Ian Lepore <ian@freebsd.org>
To: BBlister <bblister@gmail.com>, freebsd-hackers@freebsd.org
Date: Wed, 20 Feb 2019 08:00:15 -0700
In-Reply-To: <1550671337578-0.post@n6.nabble.com>
References: <1550610819543-0.post@n6.nabble.com>
 <CAOjFWZ7kJoa-_EVBrLUwLrs9J7ERWqkRf4bZh_giQ4-NRrGS_w@mail.gmail.com>
 <7b44b3ce-9b96-e91b-b9ca-57100c784db7@sentex.net>
 <20190219220404.GA1668@troutmask.apl.washington.edu>
 <1550671337578-0.post@n6.nabble.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4521484423
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.97 / 15.00];
 local_wl_from(0.00)[freebsd.org];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.97)[-0.973,0];
 ASN(0.00)[asn:16509, ipnet:52.58.0.0/15, country:US]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 15:00:32 -0000

On Wed, 2019-02-20 at 07:02 -0700, BBlister wrote:
> After one suggestion on the questions list,  I used the rpcinfo -p but this
> does not print every unknown port. For example:
> 
> # netstat -an | grep -E '874|815' 
> tcp4       0      0 *.815                  *.*                    LISTEN 
> tcp6       0      0 *.874                  *.*                    LISTEN 
> 
> sockstat reports ? 
> # sockstat | grep -E '874|815' 
> ?        ?          ?     ?  tcp4   *:815                 *:* 
> ?        ?          ?     ?  tcp6   *:874                 *:* 
> 
> rpcinfo -p reports just one port 
> # rpcinfo -p| grep -E '874|815' 
>     100021    0   tcp    815  nlockmgr 
>     100021    1   tcp    815  nlockmgr 
>     100021    3   tcp    815  nlockmgr 
>     100021    4   tcp    815  nlockmgr 
> 
> 
> The 874/tcp6 which belongs to rpc.lockd does not appear on this list. 
> Is rpcinfo only for IPv4 and if yes,what tool do I use for IPv6 ? 
> 
> 
> 
> 
> 
> The grand question is of course, is there any tool to actually locate the
> processes that open ports and cannot be identified with sockstat? 
> 
> The second grand question. Why rpc.lockd is a different kind of process that
> cannot be located from sockstat? Other RPC processes are found using
> sockstat, as the following printing shows:
> 
> # rpcinfo -p | grep 2049
>     100003    2   udp   2049  nfs
>     100003    3   udp   2049  nfs
>     100003    2   tcp   2049  nfs
>     100003    3   tcp   2049  nfs
> 
> 
> sockstat |grep 2049
> root     nfsd       41279 5  tcp4   *:2049                *:*
> root     nfsd       41279 6  tcp6   *:2049                *:*
> 
> 
> nfs is found using rpcinfo and also using sockstat.
> 
> What rpc.lockd does and it is not found. After 25 years of sysadmin, I find
> it very strange for Freebsd to not being able to trace a listening port to
> an executable.

The situation here is that the socket is neither opened by nor owned by
any userland process. The rpc.lockd implementation is split into a
kernel piece and a userland piece, and much of the work is done in-
kernel. The in-kernel part of the code contacts the userland daemon
part for help when it needs to.

So the socket is created by the in-kernel part of lockd, and it is not
tied to any file descriptor. Tools which report on userland processes
use file descriptors to associate kernel resources with the processes
that own them. In this case, it is the kernel itself that owns the
socket, so it can't be reported as belonging to any userland process.

If you're interested in poking around in the code involved, see
nlm_server_main() in src/sys/nlm/nlm_prot_impl.c

-- Ian