Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Oct 2001 13:50:16 +0300 (EEST)
From:      Valentin Nechayev <netch@lucky.net>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/31034: regularly add original address logging for tcpwrappers address mismatch diagnostics
Message-ID:  <200110041050.NTI04503@sivka.carrier.kiev.ua>
next in thread | raw e-mail | index | archive | help 

>Number:         31034
>Category:       bin
>Synopsis:       regularly add original address logging for tcpwrappers address mismatch diagnostics
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 04 04:00:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Valentin Nechayev
>Release:        FreeBSD 4.4-RELEASE-20010916 i386
>Organization:
Lucky Net Ltd.
>Environment:

FreeBSD 4.4-RELEASE
FreeBSD 5.0-CURRENT
	
>Description:

When tcp_wrappers try to obtain host name for known host address, and
paranoidal or relaxed resolving failed, it only prints part of information
to find bad address, resulting in messages similar to

Oct  4 13:42:57 sivka inetd[3393]: warning: /etc/hosts.allow, line 25: can't verify hostname: getaddrinfo(eux.kiev.ua, AF_INET) failed

which only annoy and don't help to fix the problem.

Most of this warning loggings are not part of original (Venema's)
tcp_wrappers, but were added in FreeBSD during IPv6'fication.

>How-To-Repeat:

Connect from host with bad resolving.

>Fix:

The following patch adds wanted logging to all cases when resolving fails.
In some places it can be considered superfluous, but nobody knows what
will be really needed ;)

It supposes that sock_hostaddr() is always called before sock_hostname(),
which is true for all normal usage I hope.

As the file to patch is already FreeBSD local version, there is no
harm to add patch in contrib subdirectory.

--- src/contrib/tcp_wrappers/socket.c.0	Wed Jul 11 14:47:43 2001
+++ src/contrib/tcp_wrappers/socket.c	Thu Oct  4 13:35:32 2001
@@ -225,8 +225,8 @@
 	if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
 	    freeaddrinfo(res0);
 	    tcpd_warn("host name/name mismatch: "
-		      "reverse lookup results in non-FQDN %s",
-		      host->name);
+		      "reverse lookup for %s results in non-FQDN %s",
+		      host->addr, host->name);
 	    strcpy(host->name, paranoid);	/* name is bad, clobber it */
 	}
 	err = !err;
@@ -258,9 +258,10 @@
 	     * may be a transient problem or a botched name server setup.
 	     */
 
-	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
+	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed for %s",
 		      host->name,
-		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
+		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6",
+		      host->addr);
 
 	} else if ((res0->ai_canonname == NULL
 		    || STR_NE(host->name, res0->ai_canonname))
@@ -272,9 +273,10 @@
 	     * problem. It could also be that someone is trying to spoof us.
 	     */
 
-	    tcpd_warn("host name/name mismatch: %s != %.*s",
+	    tcpd_warn("host name/name mismatch: %s != %.*s, addr=%s",
 		      host->name, STRING_LENGTH,
-		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname,
+		      host->addr);
 
 	} else {
 
@@ -317,9 +319,10 @@
 
 	    getnameinfo(sin, salen, hname, sizeof(hname),
 			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
-	    tcpd_warn("host name/address mismatch: %s != %.*s",
+	    tcpd_warn("host name/address mismatch: %s != %.*s, origaddr=%s",
 		      hname, STRING_LENGTH,
-		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname,
+		      host->addr);
 	}
 	strcpy(host->name, paranoid);		/* name is bad, clobber it */
 	if (res0)
@@ -363,8 +366,8 @@
 	     * may be a transient problem or a botched name server setup.
 	     */
 
-	    tcpd_warn("can't verify hostname: gethostbyname(%s) failed",
-		      host->name);
+	    tcpd_warn("can't verify hostname: gethostbyname(%s) failed for origaddr %s",
+		      host->name, host->addr);
 
 	} else if (STR_NE(host->name, hp->h_name)
 		   && STR_NE(host->name, "localhost")) {
@@ -375,8 +378,8 @@
 	     * problem. It could also be that someone is trying to spoof us.
 	     */
 
-	    tcpd_warn("host name/name mismatch: %s != %.*s",
-		      host->name, STRING_LENGTH, hp->h_name);
+	    tcpd_warn("host name/name mismatch: %s != %.*s, addr=%s",
+		      host->name, STRING_LENGTH, hp->h_name, host->addr);
 
 	} else {
 
@@ -400,8 +403,9 @@
 	     * server.
 	     */
 
-	    tcpd_warn("host name/address mismatch: %s != %.*s",
-		      inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
+	    tcpd_warn("host name/address mismatch: %s != %.*s, origaddr=%s",
+		      inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name,
+		      host->addr);
 	}
 	strcpy(host->name, paranoid);		/* name is bad, clobber it */
     }
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110041050.NTI04503>