Chuck Lever wrote:
> I'm surprised this issue hasn't come up for other daemons (sshd
> perhaps?). Is there code you could borrow for that?
rpcbind... it has a -i flag..
>
> Even better would be to fix tcp_wrappers to handle this optimization
> somehow itself.
Yeah... we talked.. that would take new interface from
basically dead code... Why wake the dead? :)
steved.
>
>
> On Jan 23, 2009, at Jan 23, 2009, 1:11 PM, Steve Dickson wrote:
>
>> commit 58b7e3ef82c5d9e008befcce391027c4741d3a56
>> Author: Steve Dickson <steved@xxxxxxxxxx>
>> Date: Fri Jan 23 09:15:57 2009 -0500
>>
>> If there are no rules in either /etc/hosts.deny or
>> /etc/hosts.allow there is no need to do the host validation.
>>
>> Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
>>
>> diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
>> index a450ad5..098406c 100644
>> --- a/support/misc/tcpwrapper.c
>> +++ b/support/misc/tcpwrapper.c
>> @@ -34,6 +34,7 @@
>> #ifdef HAVE_CONFIG_H
>> #include <config.h>
>> #endif
>> +#include <stdio.h>
>> #include <tcpwrapper.h>
>> #include <unistd.h>
>> #include <string.h>
>> @@ -55,6 +56,8 @@
>> #include <rpc/rpcent.h>
>> #endif
>>
>> +static int check_files(void);
>> +static int check_rules(void);
>> static void logit(int severity, struct sockaddr_in *addr,
>> u_long procnum, u_long prognum, char *text);
>> static void toggle_verboselog(int sig);
>> @@ -175,6 +178,9 @@ struct sockaddr_in *addr;
>> char **sp;
>> char *tmpname;
>>
>> + xlog(D_CALL, "good_client: %s: doing access check on %s",
>> + daemon, inet_ntoa(addr->sin_addr));
>> +
>> /* First check the address. */
>> if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
>> return DENY;
>> @@ -262,8 +268,50 @@ void check_startup(void)
>> (void) signal(SIGINT, toggle_verboselog);
>> }
>>
>> +/*
>> + * check_rules - check to see if any entries exist in
>> + * either hosts file.
>> + */
>> +int check_rules()
>> +{
>> + FILE *fp;
>> + char buf[BUFSIZ];
>> +
>> + if ((fp = fopen("/etc/hosts.allow", "r")) == NULL)
>> + return 0;
>> +
>> + while (fgets(buf, BUFSIZ, fp) != NULL) {
>> + /* Check for commented lines */
>> + if (buf[0] == '#')
>> + continue;
>> + /* Check for blank lines */
>> + if (buf[strspn(buf, " \t\r\n")] == 0)
>> + continue;
>> + /* Not emtpy */
>> + fclose(fp);
>> + return 1;
>> + }
>> + fclose(fp);
>> +
>> + if ((fp = fopen("/etc/hosts.deny", "r")) == NULL)
>> + return 0;
>> +
>> + while (fgets(buf, BUFSIZ, fp) != NULL) {
>> + /* Check for commented lines */
>> + if (buf[0] == '#')
>> + continue;
>> + /* Check for blank lines */
>> + if (buf[strspn(buf, " \t\r\n")] == 0)
>> + continue;
>> + /* Not emtpy */
>> + fclose(fp);
>> + return 1;
>> + }
>> + fclose(fp);
>> + return 0;
>> +}
>> +
>> /* check_files - check to see if either access files have changed */
>> -
>> static int check_files()
>> {
>> static time_t allow_mtime, deny_mtime;
>> @@ -305,6 +353,13 @@ u_long prog;
>> if (acc && changed == 0)
>> return (acc->access);
>>
>> + /*
>> + * See if there are any rules to be applied,
>> + * if not, no need to check the address
>> + */
>> + if (check_rules() == 0)
>> + goto done;
>> +
>> if (!(from_local(addr) || good_client(daemon, addr))) {
>> log_bad_host(addr, proc, prog);
>> if (acc)
>> @@ -315,11 +370,12 @@ u_long prog;
>> }
>> if (verboselog)
>> log_client(addr, proc, prog);
>> -
>> +done:
>> if (acc)
>> acc->access = TRUE;
>> else
>> haccess_add(addr, prog, TRUE);
>> +
>> return (TRUE);
>> }
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
