Now that TCP wrapper are actually working as expected, it causing
problems in configuration that don't support reverse host name
lookups.
For TCP wrappers to actually work correctly, an IP address have to be
converted into host name, to cover the possibility that host names
are used in either the /etc/hosts.deny or /etc/hosts.allow files.
If that IP conversion (i.e. reverse hostname lookup) fails, the
mount has to failed otherwise it open up a security hole since
the host name can not be checked.
In smaller "at home" configurations, this failure cause a great deal
of pain since there will never any type of DNS services and for some
reasons (which were beyond me) adding the IP address to /etc/hosts
was not an option. So this patch set allows configurations like
those to, once again, just work, plus it also stop a needless lookup
when there are no tcp wrapper rules, which is %99.99 of the time.
Patch 01 - I was caching the results of the host access query using
the IP address, program number and produce number which
was creating too many cache entries for a single host.
All that's really needed is to has on the the IP address
and program number.
Patch 02 - This is a repost of a previous patch that will not
do the host access checks if there are no rules in
either hosts.allow or hosts.deny. This version includes
the suggestion from Chuck Lever that blank lines should
also be ignored.
Patch 03 - This patch adds a --insecure | -i command line argument that
completely turns all of the host access checking. I was a bit
hesitant about doing this, but once I saw other daemon having
option I figured it would be good to have.
Comments/Issues?
steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
