Re: [PATCH 0/3] nfs-utils: Enabling TCP wrappers

Steve Dickson <SteveD@xxxxxxxxxx> · Fri, 19 Dec 2008 12:00:14 -0500

Chuck Lever wrote:
>> @@ -72,12 +74,29 @@ mount_dispatch(struct svc_req *rqstp, SVCXPRT
>> *transp)
>>     union mountd_results    result;
>>
>> #ifdef HAVE_TCP_WRAPPER
>> +#ifdef IPV6_SUPPORTED
>> +    static int once = 0;
>> +
>> +    if (svc_getcaller(transp)->sin_family != AF_INET) {
> 
> It's not clear to me that svc_getcaller() will ever return a non-AF_INET
> address.
> 
> Should we use svc_getcaller_netbuf() here instead?
> 
Here is the same patch using svc_getcaller_netbuf() instead
of svc_getcaller():

comments?

steved.

commit 87aef16ecab0ee3b0744d24b0e257e9d108ff4c0
Author: Steve Dickson <steved@xxxxxxxxxx>
Date:   Fri Dec 19 11:58:02 2008 -0500

    Skip the host access check when IPv6 is enabled and its an IPv6 address.
    
    Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>

diff --git a/utils/mountd/mount_dispatch.c b/utils/mountd/mount_dispatch.c
index f00c0c5..9223509 100644
--- a/utils/mountd/mount_dispatch.c
+++ b/utils/mountd/mount_dispatch.c
@@ -12,6 +12,8 @@
 #include "tcpwrapper.h"
 #endif
 
+#include <sys/syslog.h>
+
 #include "mountd.h"
 #include "rpcmisc.h"
 
@@ -72,12 +74,32 @@ mount_dispatch(struct svc_req *rqstp, SVCXPRT *transp)
 	union mountd_results	result;
 
 #ifdef HAVE_TCP_WRAPPER
+#ifdef IPV6_SUPPORTED
+	struct sockaddr *sa;
+	static int once = 0;
+
+	sa = (struct sockaddr *)svc_getcaller_netbuf(transp)->buf;
+	if (sa->sa_family != AF_INET) {
+		if (!once) {
+			syslog(LOG_WARNING, 
+				"No IPv6 support in Access Control Library (TCP Wrappers)"); 
+			once++;
+		}
+		goto skipcheck;
+	}
+#endif
+
 	/* remote host authorization check */
 	if (!check_default("mountd", svc_getcaller(transp),
 			   rqstp->rq_proc, MOUNTPROG)) {
 		svcerr_auth (transp, AUTH_FAILED);
 		return;
 	}
+
+#ifdef IPV6_SUPPORTED
+skipcheck:
+#endif
+
 #endif
 
 	rpc_dispatch(rqstp, transp, dtable, number_of(dtable),
diff --git a/utils/statd/statd.c b/utils/statd/statd.c
index 321f7a9..78bf6f8 100644
--- a/utils/statd/statd.c
+++ b/utils/statd/statd.c
@@ -88,6 +88,21 @@ extern void simulator (int, char **);
 static void 
 sm_prog_1_wrapper (struct svc_req *rqstp, register SVCXPRT *transp)
 {
+#ifdef IPV6_SUPPORTED
+	struct sockaddr *sa;
+	static int once = 0;
+
+	sa = (struct sockaddr *)svc_getcaller_netbuf(transp)->buf;
+	if (sa->sa_family != AF_INET) {
+		if (!once) {
+			syslog(LOG_WARNING, 
+				"No IPv6 support in Access Control Library (TCP Wrappers)"); 
+			once++;
+		}
+		goto skipcheck;
+	}
+#endif
+
 	/* remote host authorization check */
 	if (!check_default("statd", svc_getcaller(transp),
 				 rqstp->rq_proc, SM_PROG)) {
@@ -95,6 +110,10 @@ sm_prog_1_wrapper (struct svc_req *rqstp, register SVCXPRT *transp)
 		return;
 	}
 
+#ifdef IPV6_SUPPORTED
+skipcheck:
+#endif
+
 	sm_prog_1 (rqstp, transp);
 }
 
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




