diff -c ucspi-tcp-0.84/tcprules.1 ucspi-tcp-0.84-mine/tcprules.1 *** ucspi-tcp-0.84/tcprules.1 Thu Nov 12 00:32:01 1998 --- ucspi-tcp-0.84-mine/tcprules.1 Sun May 23 17:47:17 1999 *************** *** 156,161 **** --- 156,168 ---- .B 10.2.:ins and .BR 10.3.:ins . + .SH "HOST NAMES" + .B tcprules + can contain domains as well as addresses; search for a + match is based on do.ma.in, + \&.ma.in, + \&.in, + \&. (period used as 'default') .SH "INSTRUCTIONS" The instructions in a rule must begin with either .B allow diff -c ucspi-tcp-0.84/tcprules.c ucspi-tcp-0.84-mine/tcprules.c *** ucspi-tcp-0.84/tcprules.c Thu Nov 12 00:32:01 1998 --- ucspi-tcp-0.84-mine/tcprules.c Sun May 23 17:19:45 1999 *************** *** 58,64 **** unsigned long bot; unsigned long top; ! if (byte_chr(address.s,address.len,'@') == address.len) { i = byte_chr(address.s,address.len,'-'); if (i < address.len) { left = byte_rchr(address.s,i,'.'); --- 58,73 ---- unsigned long bot; unsigned long top; ! for (i = 0; i < address.len; i++) { ! if (address.s[i] == '-') continue; ! if (address.s[i] == '.') continue; ! if (address.s[i] == '@') continue; ! if (address.s[i] >= '0') ! if (address.s[i] <= '9') continue; ! i = address.len + 1; ! } ! ! if (i == address.len) { i = byte_chr(address.s,address.len,'-'); if (i < address.len) { left = byte_rchr(address.s,i,'.'); diff -c ucspi-tcp-0.84/tcpserver.1 ucspi-tcp-0.84-mine/tcpserver.1 *** ucspi-tcp-0.84/tcpserver.1 Thu Nov 12 00:32:01 1998 --- ucspi-tcp-0.84-mine/tcpserver.1 Sun May 23 17:31:08 1999 *************** *** 7,12 **** --- 7,15 ---- .B \-1pPhHrRoOdDqQv ] [ + .B \-NnAa + ] + [ .B \-c\fIlimit ] [ *************** *** 200,205 **** --- 203,227 ---- .B \-P (Default.) Not paranoid. + .TP + .B \-a + \&'deny' connections from an address with no hostname + .TP + .B \-A + \&'deny' connections from an address which is 'paranoid' + The environment variable + .BR TCPPARANOID + is set if the connection is + considered to be 'paranoid' (allows programs to tell the difference + when + .BR TCPREMOTEHOST + is not set). + .TP + .B \-n + Do domain name lookups in tcprules file after ip lookup. + .TP + .B \-N + Do domain name lookups in tcprules file before IP lookup .TP .B \-h (Default.) diff -c ucspi-tcp-0.84/tcpserver.c ucspi-tcp-0.84-mine/tcpserver.c *** ucspi-tcp-0.84/tcpserver.c Thu Nov 12 00:32:01 1998 --- ucspi-tcp-0.84-mine/tcpserver.c Sun May 23 23:19:34 1999 *************** *** 27,32 **** --- 27,35 ---- #include "env.h" #include "cdb.h" + #define TCPPARANOID /* if TCPPARANOID options are to be used */ + #define TCPREMOTEHOSTRULES /* if want remote host checked in rules() */ + #define FATAL "tcpserver: fatal: " #define DROP "tcpserver: warning: dropping connection, " int verbosity = 1; *************** *** 46,51 **** --- 49,55 ---- strerr_warn1("\ tcpserver: usage: tcpserver \ [ -1pPhHrRoOdDqQv ] \ + [ -nNaA ] \ [ -c limit ] \ [ -x rules.cdb ] \ [ -B banner ] \ *************** *** 102,107 **** --- 106,121 ---- char *fnrules = 0; int flagdeny = 0; + #ifdef TCPREMOTEHOSTRULES + stralloc tcpremotehost = {0}; + int domainchecking = 0; + #endif + #ifdef TCPPARANOID + char *connectionstatus; + int blockingparanoid = 0; + int blockingnohost = 0; + #endif + void printenv() { char *tcplocalhost; *************** *** 113,122 **** --- 127,143 ---- tcpremotehost = env_get("TCPREMOTEHOST"); if (!tcplocalhost) tcplocalhost = ""; + #ifdef TCPPARANOID + if (!tcpremotehost) tcpremotehost = env_get("TCPPARANOID"); + #endif if (!tcpremotehost) tcpremotehost = ""; if (!stralloc_copys(&tmp,"tcpserver: ")) drop_nomem(); + #ifdef TCPPARANOID + if (!stralloc_cats(&tmp,connectionstatus)) drop_nomem(); + #else if (!stralloc_cats(&tmp,flagdeny ? "deny " : "ok ")) drop_nomem(); + #endif if (!stralloc_catb(&tmp,strnum,fmt_ulong(strnum,getpid()))) drop_nomem(); if (!stralloc_cats(&tmp," ")) drop_nomem(); safeappend(&tmp,tcplocalhost); *************** *** 203,209 **** --- 224,234 ---- while ((next0 = byte_chr(data,datalen,0)) < datalen) { switch(data[0]) { + #ifdef TCPPARANOID + case 'D': connectionstatus = "deny "; flagdeny = 1; break; + #else case 'D': flagdeny = 1; break; + #endif case '+': if (!env_put(data + 1)) drop_nomem(); break; } data += next0 + 1; datalen -= next0 + 1; *************** *** 211,216 **** --- 236,271 ---- return 1; } + #ifdef TCPREMOTEHOSTRULES + int tcp_domain_check() + { + if (tcpremotehost.len) { + unsigned int i = 0; + + if (tcpremoteinfo) { + if (!stralloc_copys(&tmp,tcpremoteinfo)) drop_nomem(); + if (!stralloc_cats(&tmp,"@")) drop_nomem(); + if (!stralloc_cats(&tmp,tcpremotehost.s)) drop_nomem(); + if (dorule()) return 1; + } + + if (!stralloc_copys(&tmp,tcpremotehost.s)) drop_nomem(); + if (dorule()) return 1; + while (++i < tcpremotehost.len) + if (tcpremotehost.s[i] == '.') { + if (!stralloc_copys(&tmp,tcpremotehost.s+i)) + drop_nomem(); + if (dorule()) return 1; + } + } + /* We use .' to indicate a valid host default (blank for IP address) */ + /* so that if the host isn't set we can act differently on an IP address */ + if (!stralloc_copys(&tmp, ".")) drop_nomem(); + if (dorule()) return 1; + return 0; + } + #endif + void rules() { if (!fnrules) return; *************** *** 218,223 **** --- 273,282 ---- fdrules = open_read(fnrules); if (fdrules == -1) drop_rules(); + #ifdef TCPREMOTEHOSTRULES + if (domainchecking == -1) if(tcp_domain_check()) return; + #endif + if (tcpremoteinfo) { if (!stralloc_copys(&tmp,tcpremoteinfo)) drop_nomem(); if (!stralloc_cats(&tmp,"@")) drop_nomem(); *************** *** 233,238 **** --- 292,302 ---- --tmp.len; } + #ifdef TCPREMOTEHOSTRULES + if (domainchecking == 1) if(tcp_domain_check()) return; + tmp.len = 0; + #endif + dorule(); done: *************** *** 266,272 **** --- 330,341 ---- struct servent *se; int j; + #if defined(TCPREMOTEHOSTS) || defined(TCPPARANOID) + /* okay the defines mean the options might not actually work - so what? */ + while ((opt = getopt(argc,argv,"dDvqQhHrR1x:t:u:g:l:b:B:c:pPoOnNaA")) != opteof) + #else while ((opt = getopt(argc,argv,"dDvqQhHrR1x:t:u:g:l:b:B:c:pPoO")) != opteof) + #endif switch(opt) { case 'b': scan_ulong(optarg,&backlog); break; case 'c': scan_ulong(optarg,&limit); break; *************** *** 290,295 **** --- 359,372 ---- case 'u': scan_ulong(optarg,&uid); break; case '1': flag1 = 1; break; case 'l': forcelocal = optarg; break; + #ifdef TCPREMOTEHOSTRULES + case 'n': domainchecking = 1; break; + case 'N': domainchecking = -1; break; + #endif + #ifdef TCPPARANOID + case 'a': blockingnohost = 1; break; + case 'A': blockingparanoid = 1; break; + #endif default: usage(); } argc -= optind; *************** *** 383,388 **** --- 460,468 ---- if (!env_unset("TCPLOCALHOST")) die_nomem(); if (!env_unset("TCPREMOTEHOST")) die_nomem(); if (!env_unset("TCPREMOTEINFO")) die_nomem(); + #ifdef TCPPARANOID + if (!env_unset("TCPPARANOID")) die_nomem(); + #endif if (forcelocal) if (!env_put2("TCPLOCALHOST",forcelocal)) die_nomem(); *************** *** 397,402 **** --- 477,485 ---- sig_childblock(); for (;;) { + #ifdef TCPPARANOID + int tcpremotehostset = 0; + #endif while (numchildren >= limit) sig_pause(); sig_childunblock(); *************** *** 464,469 **** --- 547,555 ---- } if (flagremotehost) + #ifdef TCPREMOTEHOSTRULES + #define tmp tcpremotehost + #endif switch(dns_ptr(&tmp,&ipremote)) { case DNS_MEM: drop_nomem(); case 0: *************** *** 478,483 **** --- 564,574 ---- if (!stralloc_0(&tmp)) drop_nomem(); case_lowers(tmp.s); if (!env_put2("TCPREMOTEHOST",tmp.s)) drop_nomem(); + #ifdef TCPPARANOID + tcpremotehostset = 1; + break; + default: tmp.len = 0; /* reset it, for nohost checking */ + #endif } if (flagremoteinfo) { tcpremoteinfo = remoteinfo_get(&ipremote,portremote,&iplocal,portlocal,(int) timeout); *************** *** 485,490 **** --- 576,598 ---- if (!env_put2("TCPREMOTEINFO",tcpremoteinfo)) drop_nomem(); } + #ifdef TCPPARANOID + connectionstatus = "ok "; + if (!tcpremotehostset) + if (tmp.len) { + if (!stralloc_0(&tmp)) drop_nomem(); + case_lowers(tmp.s); + if (!env_put2("TCPPARANOID", tmp.s)) drop_nomem(); + if (blockingparanoid) connectionstatus = "deny-paranoid "; + else connectionstatus = "ok-paranoid "; + } + else if (blockingnohost) connectionstatus = "deny-nohost "; + + if (str_diffn(connectionstatus, "ok", 2)) flagdeny = 1; else + #endif + #ifdef TCPREMOTEHOSTRULES + #undef tmp + #endif rules(); printenv(); if (flagdeny) _exit(100);