From: Steve Dickson <SteveD@redhat.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules
Date: Fri, 23 Jan 2009 13:37:17 -0500 [thread overview]
Message-ID: <497A0E5D.30000@RedHat.com> (raw)
In-Reply-To: <D774CD22-5885-49AB-8483-EC68E95A3E50@oracle.com>
Chuck Lever wrote:
> I'm surprised this issue hasn't come up for other daemons (sshd
> perhaps?). Is there code you could borrow for that?
rpcbind... it has a -i flag..
>
> Even better would be to fix tcp_wrappers to handle this optimization
> somehow itself.
Yeah... we talked.. that would take new interface from
basically dead code... Why wake the dead? :)
steved.
>
>
> On Jan 23, 2009, at Jan 23, 2009, 1:11 PM, Steve Dickson wrote:
>
>> commit 58b7e3ef82c5d9e008befcce391027c4741d3a56
>> Author: Steve Dickson <steved@redhat.com>
>> Date: Fri Jan 23 09:15:57 2009 -0500
>>
>> If there are no rules in either /etc/hosts.deny or
>> /etc/hosts.allow there is no need to do the host validation.
>>
>> Signed-off-by: Steve Dickson <steved@redhat.com>
>>
>> diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
>> index a450ad5..098406c 100644
>> --- a/support/misc/tcpwrapper.c
>> +++ b/support/misc/tcpwrapper.c
>> @@ -34,6 +34,7 @@
>> #ifdef HAVE_CONFIG_H
>> #include <config.h>
>> #endif
>> +#include <stdio.h>
>> #include <tcpwrapper.h>
>> #include <unistd.h>
>> #include <string.h>
>> @@ -55,6 +56,8 @@
>> #include <rpc/rpcent.h>
>> #endif
>>
>> +static int check_files(void);
>> +static int check_rules(void);
>> static void logit(int severity, struct sockaddr_in *addr,
>> u_long procnum, u_long prognum, char *text);
>> static void toggle_verboselog(int sig);
>> @@ -175,6 +178,9 @@ struct sockaddr_in *addr;
>> char **sp;
>> char *tmpname;
>>
>> + xlog(D_CALL, "good_client: %s: doing access check on %s",
>> + daemon, inet_ntoa(addr->sin_addr));
>> +
>> /* First check the address. */
>> if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
>> return DENY;
>> @@ -262,8 +268,50 @@ void check_startup(void)
>> (void) signal(SIGINT, toggle_verboselog);
>> }
>>
>> +/*
>> + * check_rules - check to see if any entries exist in
>> + * either hosts file.
>> + */
>> +int check_rules()
>> +{
>> + FILE *fp;
>> + char buf[BUFSIZ];
>> +
>> + if ((fp = fopen("/etc/hosts.allow", "r")) == NULL)
>> + return 0;
>> +
>> + while (fgets(buf, BUFSIZ, fp) != NULL) {
>> + /* Check for commented lines */
>> + if (buf[0] == '#')
>> + continue;
>> + /* Check for blank lines */
>> + if (buf[strspn(buf, " \t\r\n")] == 0)
>> + continue;
>> + /* Not emtpy */
>> + fclose(fp);
>> + return 1;
>> + }
>> + fclose(fp);
>> +
>> + if ((fp = fopen("/etc/hosts.deny", "r")) == NULL)
>> + return 0;
>> +
>> + while (fgets(buf, BUFSIZ, fp) != NULL) {
>> + /* Check for commented lines */
>> + if (buf[0] == '#')
>> + continue;
>> + /* Check for blank lines */
>> + if (buf[strspn(buf, " \t\r\n")] == 0)
>> + continue;
>> + /* Not emtpy */
>> + fclose(fp);
>> + return 1;
>> + }
>> + fclose(fp);
>> + return 0;
>> +}
>> +
>> /* check_files - check to see if either access files have changed */
>> -
>> static int check_files()
>> {
>> static time_t allow_mtime, deny_mtime;
>> @@ -305,6 +353,13 @@ u_long prog;
>> if (acc && changed == 0)
>> return (acc->access);
>>
>> + /*
>> + * See if there are any rules to be applied,
>> + * if not, no need to check the address
>> + */
>> + if (check_rules() == 0)
>> + goto done;
>> +
>> if (!(from_local(addr) || good_client(daemon, addr))) {
>> log_bad_host(addr, proc, prog);
>> if (acc)
>> @@ -315,11 +370,12 @@ u_long prog;
>> }
>> if (verboselog)
>> log_client(addr, proc, prog);
>> -
>> +done:
>> if (acc)
>> acc->access = TRUE;
>> else
>> haccess_add(addr, prog, TRUE);
>> +
>> return (TRUE);
>> }
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
next prev parent reply other threads:[~2009-01-23 18:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-23 17:59 [PATCH 0/3] nfs-utils: Enabling TCP wrappers Part 2 Steve Dickson
[not found] ` <497A056E.1030606-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-01-23 18:10 ` [PATCH 1/3] nfs-utils: Hash only on IP address and Program number Steve Dickson
2009-01-23 18:11 ` [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules Steve Dickson
[not found] ` <497A0862.40008-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-01-23 18:34 ` Chuck Lever
2009-01-23 18:37 ` Steve Dickson [this message]
2009-01-23 18:13 ` [PATCH 3/3] nfs-utils: Adding the --insecure flag to mountd and statd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497A0E5D.30000@RedHat.com \
--to=steved@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox