diff -c ucspi-tcp-0.84/tcprules.1 ucspi-tcp-0.84-mine/tcprules.1
*** ucspi-tcp-0.84/tcprules.1 Thu Nov 12 00:32:01 1998
--- ucspi-tcp-0.84-mine/tcprules.1 Sun May 23 17:47:17 1999
***************
*** 156,161 ****
--- 156,168 ----
.B 10.2.:ins
and
.BR 10.3.:ins .
+ .SH "HOST NAMES"
+ .B tcprules
+ can contain domains as well as addresses; search for a
+ match is based on do.ma.in,
+ \&.ma.in,
+ \&.in,
+ \&. (period used as 'default')
.SH "INSTRUCTIONS"
The instructions in a rule must begin with either
.B allow
diff -c ucspi-tcp-0.84/tcprules.c ucspi-tcp-0.84-mine/tcprules.c
*** ucspi-tcp-0.84/tcprules.c Thu Nov 12 00:32:01 1998
--- ucspi-tcp-0.84-mine/tcprules.c Sun May 23 17:19:45 1999
***************
*** 58,64 ****
unsigned long bot;
unsigned long top;
! if (byte_chr(address.s,address.len,'@') == address.len) {
i = byte_chr(address.s,address.len,'-');
if (i < address.len) {
left = byte_rchr(address.s,i,'.');
--- 58,73 ----
unsigned long bot;
unsigned long top;
! for (i = 0; i < address.len; i++) {
! if (address.s[i] == '-') continue;
! if (address.s[i] == '.') continue;
! if (address.s[i] == '@') continue;
! if (address.s[i] >= '0')
! if (address.s[i] <= '9') continue;
! i = address.len + 1;
! }
!
! if (i == address.len) {
i = byte_chr(address.s,address.len,'-');
if (i < address.len) {
left = byte_rchr(address.s,i,'.');
diff -c ucspi-tcp-0.84/tcpserver.1 ucspi-tcp-0.84-mine/tcpserver.1
*** ucspi-tcp-0.84/tcpserver.1 Thu Nov 12 00:32:01 1998
--- ucspi-tcp-0.84-mine/tcpserver.1 Sun May 23 17:31:08 1999
***************
*** 7,12 ****
--- 7,15 ----
.B \-1pPhHrRoOdDqQv
]
[
+ .B \-NnAa
+ ]
+ [
.B \-c\fIlimit
]
[
***************
*** 200,205 ****
--- 203,227 ----
.B \-P
(Default.)
Not paranoid.
+ .TP
+ .B \-a
+ \&'deny' connections from an address with no hostname
+ .TP
+ .B \-A
+ \&'deny' connections from an address which is 'paranoid'
+ The environment variable
+ .BR TCPPARANOID
+ is set if the connection is
+ considered to be 'paranoid' (allows programs to tell the difference
+ when
+ .BR TCPREMOTEHOST
+ is not set).
+ .TP
+ .B \-n
+ Do domain name lookups in tcprules file after ip lookup.
+ .TP
+ .B \-N
+ Do domain name lookups in tcprules file before IP lookup
.TP
.B \-h
(Default.)
diff -c ucspi-tcp-0.84/tcpserver.c ucspi-tcp-0.84-mine/tcpserver.c
*** ucspi-tcp-0.84/tcpserver.c Thu Nov 12 00:32:01 1998
--- ucspi-tcp-0.84-mine/tcpserver.c Sun May 23 23:19:34 1999
***************
*** 27,32 ****
--- 27,35 ----
#include "env.h"
#include "cdb.h"
+ #define TCPPARANOID /* if TCPPARANOID options are to be used */
+ #define TCPREMOTEHOSTRULES /* if want remote host checked in rules() */
+
#define FATAL "tcpserver: fatal: "
#define DROP "tcpserver: warning: dropping connection, "
int verbosity = 1;
***************
*** 46,51 ****
--- 49,55 ----
strerr_warn1("\
tcpserver: usage: tcpserver \
[ -1pPhHrRoOdDqQv ] \
+ [ -nNaA ] \
[ -c limit ] \
[ -x rules.cdb ] \
[ -B banner ] \
***************
*** 102,107 ****
--- 106,121 ----
char *fnrules = 0;
int flagdeny = 0;
+ #ifdef TCPREMOTEHOSTRULES
+ stralloc tcpremotehost = {0};
+ int domainchecking = 0;
+ #endif
+ #ifdef TCPPARANOID
+ char *connectionstatus;
+ int blockingparanoid = 0;
+ int blockingnohost = 0;
+ #endif
+
void printenv()
{
char *tcplocalhost;
***************
*** 113,122 ****
--- 127,143 ----
tcpremotehost = env_get("TCPREMOTEHOST");
if (!tcplocalhost) tcplocalhost = "";
+ #ifdef TCPPARANOID
+ if (!tcpremotehost) tcpremotehost = env_get("TCPPARANOID");
+ #endif
if (!tcpremotehost) tcpremotehost = "";
if (!stralloc_copys(&tmp,"tcpserver: ")) drop_nomem();
+ #ifdef TCPPARANOID
+ if (!stralloc_cats(&tmp,connectionstatus)) drop_nomem();
+ #else
if (!stralloc_cats(&tmp,flagdeny ? "deny " : "ok ")) drop_nomem();
+ #endif
if (!stralloc_catb(&tmp,strnum,fmt_ulong(strnum,getpid()))) drop_nomem();
if (!stralloc_cats(&tmp," ")) drop_nomem();
safeappend(&tmp,tcplocalhost);
***************
*** 203,209 ****
--- 224,234 ----
while ((next0 = byte_chr(data,datalen,0)) < datalen) {
switch(data[0]) {
+ #ifdef TCPPARANOID
+ case 'D': connectionstatus = "deny "; flagdeny = 1; break;
+ #else
case 'D': flagdeny = 1; break;
+ #endif
case '+': if (!env_put(data + 1)) drop_nomem(); break;
}
data += next0 + 1; datalen -= next0 + 1;
***************
*** 211,216 ****
--- 236,271 ----
return 1;
}
+ #ifdef TCPREMOTEHOSTRULES
+ int tcp_domain_check()
+ {
+ if (tcpremotehost.len) {
+ unsigned int i = 0;
+
+ if (tcpremoteinfo) {
+ if (!stralloc_copys(&tmp,tcpremoteinfo)) drop_nomem();
+ if (!stralloc_cats(&tmp,"@")) drop_nomem();
+ if (!stralloc_cats(&tmp,tcpremotehost.s)) drop_nomem();
+ if (dorule()) return 1;
+ }
+
+ if (!stralloc_copys(&tmp,tcpremotehost.s)) drop_nomem();
+ if (dorule()) return 1;
+ while (++i < tcpremotehost.len)
+ if (tcpremotehost.s[i] == '.') {
+ if (!stralloc_copys(&tmp,tcpremotehost.s+i))
+ drop_nomem();
+ if (dorule()) return 1;
+ }
+ }
+ /* We use .' to indicate a valid host default (blank for IP address) */
+ /* so that if the host isn't set we can act differently on an IP address */
+ if (!stralloc_copys(&tmp, ".")) drop_nomem();
+ if (dorule()) return 1;
+ return 0;
+ }
+ #endif
+
void rules()
{
if (!fnrules) return;
***************
*** 218,223 ****
--- 273,282 ----
fdrules = open_read(fnrules);
if (fdrules == -1) drop_rules();
+ #ifdef TCPREMOTEHOSTRULES
+ if (domainchecking == -1) if(tcp_domain_check()) return;
+ #endif
+
if (tcpremoteinfo) {
if (!stralloc_copys(&tmp,tcpremoteinfo)) drop_nomem();
if (!stralloc_cats(&tmp,"@")) drop_nomem();
***************
*** 233,238 ****
--- 292,302 ----
--tmp.len;
}
+ #ifdef TCPREMOTEHOSTRULES
+ if (domainchecking == 1) if(tcp_domain_check()) return;
+ tmp.len = 0;
+ #endif
+
dorule();
done:
***************
*** 266,272 ****
--- 330,341 ----
struct servent *se;
int j;
+ #if defined(TCPREMOTEHOSTS) || defined(TCPPARANOID)
+ /* okay the defines mean the options might not actually work - so what? */
+ while ((opt = getopt(argc,argv,"dDvqQhHrR1x:t:u:g:l:b:B:c:pPoOnNaA")) != opteof)
+ #else
while ((opt = getopt(argc,argv,"dDvqQhHrR1x:t:u:g:l:b:B:c:pPoO")) != opteof)
+ #endif
switch(opt) {
case 'b': scan_ulong(optarg,&backlog); break;
case 'c': scan_ulong(optarg,&limit); break;
***************
*** 290,295 ****
--- 359,372 ----
case 'u': scan_ulong(optarg,&uid); break;
case '1': flag1 = 1; break;
case 'l': forcelocal = optarg; break;
+ #ifdef TCPREMOTEHOSTRULES
+ case 'n': domainchecking = 1; break;
+ case 'N': domainchecking = -1; break;
+ #endif
+ #ifdef TCPPARANOID
+ case 'a': blockingnohost = 1; break;
+ case 'A': blockingparanoid = 1; break;
+ #endif
default: usage();
}
argc -= optind;
***************
*** 383,388 ****
--- 460,468 ----
if (!env_unset("TCPLOCALHOST")) die_nomem();
if (!env_unset("TCPREMOTEHOST")) die_nomem();
if (!env_unset("TCPREMOTEINFO")) die_nomem();
+ #ifdef TCPPARANOID
+ if (!env_unset("TCPPARANOID")) die_nomem();
+ #endif
if (forcelocal)
if (!env_put2("TCPLOCALHOST",forcelocal)) die_nomem();
***************
*** 397,402 ****
--- 477,485 ----
sig_childblock();
for (;;) {
+ #ifdef TCPPARANOID
+ int tcpremotehostset = 0;
+ #endif
while (numchildren >= limit) sig_pause();
sig_childunblock();
***************
*** 464,469 ****
--- 547,555 ----
}
if (flagremotehost)
+ #ifdef TCPREMOTEHOSTRULES
+ #define tmp tcpremotehost
+ #endif
switch(dns_ptr(&tmp,&ipremote)) {
case DNS_MEM: drop_nomem();
case 0:
***************
*** 478,483 ****
--- 564,574 ----
if (!stralloc_0(&tmp)) drop_nomem();
case_lowers(tmp.s);
if (!env_put2("TCPREMOTEHOST",tmp.s)) drop_nomem();
+ #ifdef TCPPARANOID
+ tcpremotehostset = 1;
+ break;
+ default: tmp.len = 0; /* reset it, for nohost checking */
+ #endif
}
if (flagremoteinfo) {
tcpremoteinfo = remoteinfo_get(&ipremote,portremote,&iplocal,portlocal,(int) timeout);
***************
*** 485,490 ****
--- 576,598 ----
if (!env_put2("TCPREMOTEINFO",tcpremoteinfo)) drop_nomem();
}
+ #ifdef TCPPARANOID
+ connectionstatus = "ok ";
+ if (!tcpremotehostset)
+ if (tmp.len) {
+ if (!stralloc_0(&tmp)) drop_nomem();
+ case_lowers(tmp.s);
+ if (!env_put2("TCPPARANOID", tmp.s)) drop_nomem();
+ if (blockingparanoid) connectionstatus = "deny-paranoid ";
+ else connectionstatus = "ok-paranoid ";
+ }
+ else if (blockingnohost) connectionstatus = "deny-nohost ";
+
+ if (str_diffn(connectionstatus, "ok", 2)) flagdeny = 1; else
+ #endif
+ #ifdef TCPREMOTEHOSTRULES
+ #undef tmp
+ #endif
rules();
printenv();
if (flagdeny) _exit(100);