From: Steve Dickson <SteveD@redhat.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules
Date: Fri, 23 Jan 2009 13:37:17 -0500 [thread overview]
Message-ID: <497A0E5D.30000@RedHat.com> (raw)
In-Reply-To: <D774CD22-5885-49AB-8483-EC68E95A3E50@oracle.com>
Chuck Lever wrote:
> I'm surprised this issue hasn't come up for other daemons (sshd
> perhaps?). Is there code you could borrow for that?
rpcbind... it has a -i flag..
>
> Even better would be to fix tcp_wrappers to handle this optimization
> somehow itself.
Yeah... we talked.. that would take new interface from
basically dead code... Why wake the dead? :)
steved.
>
>
> On Jan 23, 2009, at Jan 23, 2009, 1:11 PM, Steve Dickson wrote:
>
>> commit 58b7e3ef82c5d9e008befcce391027c4741d3a56
>> Author: Steve Dickson <steved@redhat.com>
>> Date: Fri Jan 23 09:15:57 2009 -0500
>>
>> If there are no rules in either /etc/hosts.deny or
>> /etc/hosts.allow there is no need to do the host validation.
>>
>> Signed-off-by: Steve Dickson <steved@redhat.com>
>>
>> diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
>> index a450ad5..098406c 100644
>> --- a/support/misc/tcpwrapper.c
>> +++ b/support/misc/tcpwrapper.c
>> @@ -34,6 +34,7 @@
>> #ifdef HAVE_CONFIG_H
>> #include <config.h>
>> #endif
>> +#include <stdio.h>
>> #include <tcpwrapper.h>
>> #include <unistd.h>
>> #include <string.h>
>> @@ -55,6 +56,8 @@
>> #include <rpc/rpcent.h>
>> #endif
>>
>> +static int check_files(void);
>> +static int check_rules(void);
>> static void logit(int severity, struct sockaddr_in *addr,
>> u_long procnum, u_long prognum, char *text);
>> static void toggle_verboselog(int sig);
>> @@ -175,6 +178,9 @@ struct sockaddr_in *addr;
>> char **sp;
>> char *tmpname;
>>
>> + xlog(D_CALL, "good_client: %s: doing access check on %s",
>> + daemon, inet_ntoa(addr->sin_addr));
>> +
>> /* First check the address. */
>> if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
>> return DENY;
>> @@ -262,8 +268,50 @@ void check_startup(void)
>> (void) signal(SIGINT, toggle_verboselog);
>> }
>>
>> +/*
>> + * check_rules - check to see if any entries exist in
>> + * either hosts file.
>> + */
>> +int check_rules()
>> +{
>> + FILE *fp;
>> + char buf[BUFSIZ];
>> +
>> + if ((fp = fopen("/etc/hosts.allow", "r")) == NULL)
>> + return 0;
>> +
>> + while (fgets(buf, BUFSIZ, fp) != NULL) {
>> + /* Check for commented lines */
>> + if (buf[0] == '#')
>> + continue;
>> + /* Check for blank lines */
>> + if (buf[strspn(buf, " \t\r\n")] == 0)
>> + continue;
>> + /* Not emtpy */
>> + fclose(fp);
>> + return 1;
>> + }
>> + fclose(fp);
>> +
>> + if ((fp = fopen("/etc/hosts.deny", "r")) == NULL)
>> + return 0;
>> +
>> + while (fgets(buf, BUFSIZ, fp) != NULL) {
>> + /* Check for commented lines */
>> + if (buf[0] == '#')
>> + continue;
>> + /* Check for blank lines */
>> + if (buf[strspn(buf, " \t\r\n")] == 0)
>> + continue;
>> + /* Not emtpy */
>> + fclose(fp);
>> + return 1;
>> + }
>> + fclose(fp);
>> + return 0;
>> +}
>> +
>> /* check_files - check to see if either access files have changed */
>> -
>> static int check_files()
>> {
>> static time_t allow_mtime, deny_mtime;
>> @@ -305,6 +353,13 @@ u_long prog;
>> if (acc && changed == 0)
>> return (acc->access);
>>
>> + /*
>> + * See if there are any rules to be applied,
>> + * if not, no need to check the address
>> + */
>> + if (check_rules() == 0)
>> + goto done;
>> +
>> if (!(from_local(addr) || good_client(daemon, addr))) {
>> log_bad_host(addr, proc, prog);
>> if (acc)
>> @@ -315,11 +370,12 @@ u_long prog;
>> }
>> if (verboselog)
>> log_client(addr, proc, prog);
>> -
>> +done:
>> if (acc)
>> acc->access = TRUE;
>> else
>> haccess_add(addr, prog, TRUE);
>> +
>> return (TRUE);
>> }
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
next prev parent reply other threads:[~2009-01-23 18:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-23 17:59 [PATCH 0/3] nfs-utils: Enabling TCP wrappers Part 2 Steve Dickson
[not found] ` <497A056E.1030606-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-01-23 18:10 ` [PATCH 1/3] nfs-utils: Hash only on IP address and Program number Steve Dickson
2009-01-23 18:11 ` [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules Steve Dickson
[not found] ` <497A0862.40008-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-01-23 18:34 ` Chuck Lever
2009-01-23 18:37 ` Steve Dickson [this message]
2009-01-23 18:13 ` [PATCH 3/3] nfs-utils: Adding the --insecure flag to mountd and statd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497A0E5D.30000@RedHat.com \
--to=steved@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.