8053080cbc
Now when tcp_wrapper is enabled by inetd -wW,
several accesses which should be permitted are refused only for IPv6,
if hostname is used to decide the host to be allowed.
IPv6 users will be just upset.
About security related concern.
-All extensions are wrapped by #ifdef INET6, so people can completely
disable the extension by recompile libwrap without INET6 option.
-Access via IPv6 is not enabled by default.
People need to enable IPv6 access by changing /etc/inetd.conf at first,
by adding tcp6 and/or tcp46 entries.
-The base of patches are from KAME package and are actually daily used
for more than a year in several Japanese IPv6 environments.
-Patches are reviewed by markm.
Approved by: jkh
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
Reviewed by: markm
Obtained from: KAME project
40 lines
911 B
C
40 lines
911 B
C
/*
|
|
* refuse() reports a refused connection, and takes the consequences: in
|
|
* case of a datagram-oriented service, the unread datagram is taken from
|
|
* the input queue (or inetd would see the same datagram again and again);
|
|
* the program is terminated.
|
|
*
|
|
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#ifndef lint
|
|
static char sccsid[] = "@(#) refuse.c 1.5 94/12/28 17:42:39";
|
|
#endif
|
|
|
|
/* System libraries. */
|
|
|
|
#include <stdio.h>
|
|
#include <syslog.h>
|
|
|
|
/* Local stuff. */
|
|
|
|
#include "tcpd.h"
|
|
|
|
/* refuse - refuse request */
|
|
|
|
void refuse(request)
|
|
struct request_info *request;
|
|
{
|
|
#ifdef INET6
|
|
syslog(deny_severity, "refused connect from %s (%s)",
|
|
eval_client(request), eval_hostaddr(request->client));
|
|
#else
|
|
syslog(deny_severity, "refused connect from %s", eval_client(request));
|
|
#endif
|
|
clean_exit(request);
|
|
/* NOTREACHED */
|
|
}
|
|
|