Add support for the new mountd -R option.

r376026 added a new "-R" option to mountd, which tells it to
not support the Mount protocol (not used by NFSv4) and not
register with rpcbind.
Rpcbind is considered a security issue by some sites now.

This patch adds a new yes/no variable called nfsv4_server_only.
When that is set, make vfs.nfsd.server_min_vers=4 and set "=R"
for mountd.
Setting vfs.nfsd.server_min_vers=4 tells nfsd to not register with rpcbind.
While here, add a check for "load_kld nfsd" failing to nfsd.

Reviewed by:	0mp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D26938

3 files changed, 30 insertions, 6 deletions

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 5c58c00dd5e2..d8c24853225f 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -380,6 +380,7 @@ rpc_ypupdated_enable="NO"	# Run if NIS master and SecureRPC (or NO).
 keyserv_enable="NO"		# Run the SecureRPC keyserver (or NO).
 keyserv_flags=""		# Flags to keyserv (if enabled).
 nfsv4_server_enable="NO"	# Enable support for NFSv4
+nfsv4_server_only="NO"		# Set NFS server to NFSv4 only
 nfscbd_enable="NO"		# NFSv4 client side callback daemon
 nfscbd_flags=""			# Flags for nfscbd
 nfsuserd_enable="NO"		# NFSv4 user/group name mapping daemon
diff --git a/libexec/rc/rc.d/mountd b/libexec/rc/rc.d/mountd
index e554a1f4afc2..85d04c37a018 100755
--- a/libexec/rc/rc.d/mountd
+++ b/libexec/rc/rc.d/mountd
@@ -20,13 +20,33 @@ extra_commands="reload"
 
 mountd_precmd()
 {
-	force_depend rpcbind || return 1
+
+	# Load the modules now, so that the vfs.nfsd sysctl
+	# oids are available.
+	load_kld nfsd || return 1
+
+	# Do not force rpcbind to be running for an NFSv4 only server.
+	#
+	if checkyesno nfsv4_server_only; then
+		echo 'NFSv4 only server'
+		sysctl vfs.nfsd.server_min_nfsvers=4 > /dev/null
+		sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null
+		rc_flags="${rc_flags} -R"
+	else
+		force_depend rpcbind || return 1
+	fi
 
 	# mountd flags will differ depending on rc.conf settings
 	#
-	if checkyesno nfs_server_enable ; then
+	if checkyesno nfs_server_enable || checkyesno nfsv4_server_only; then
 		if checkyesno weak_mountd_authentication; then
-			rc_flags="${mountd_flags} -n"
+			if checkyesno nfsv4_server_only; then
+				echo -n 'weak_mountd_authentication '
+				echo -n 'incompatible with nfsv4_server_only, '
+				echo 'ignored'
+			else
+				rc_flags="${rc_flags} -n"
+			fi
 		fi
 	else
 		if checkyesno mountd_enable; then
diff --git a/libexec/rc/rc.d/nfsd b/libexec/rc/rc.d/nfsd
index 3c16416f23d9..1d0689b3beb7 100755
--- a/libexec/rc/rc.d/nfsd
+++ b/libexec/rc/rc.d/nfsd
@@ -26,7 +26,7 @@ nfsd_precmd()
 
 	# Load the modules now, so that the vfs.nfsd sysctl
 	# oids are available.
-	load_kld nfsd
+	load_kld nfsd || return 1
 
 	if checkyesno nfs_reserved_port_only; then
 		echo 'NFS on reserved port only=YES'
@@ -41,12 +41,15 @@ nfsd_precmd()
 
 	if checkyesno nfsv4_server_enable; then
 		sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null
-	else
+	elif ! checkyesno nfsv4_server_only; then
 		echo 'NFSv4 is disabled'
 		sysctl vfs.nfsd.server_max_nfsvers=3 > /dev/null
 	fi
 
-	force_depend rpcbind || return 1
+	if ! checkyesno nfsv4_server_only; then
+		force_depend rpcbind || return 1
+	fi
+
 	force_depend mountd || return 1
 	if [ -n "${nfs_server_vhost}" ]; then
 		command_args="-V \"${nfs_server_vhost}\""