Commit Graph

12 Commits

Author SHA1 Message Date
kris
a465db1b2b This commit was generated by cvs2svn to compensate for changes in r80260,
which included commits to RCS files with non-trunk default branches.
2001-07-24 09:05:00 +00:00
kris
1c1c77e4e2 Import updated/clarified license for tcp_wrappers.
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that this entire copyright notice
+* is duplicated in all such copies.

Obtained from:	ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license
2001-07-24 09:05:00 +00:00
kris
76f9847f71 Unbreak "paranoid" host checking, which was broken with the IPv6 code
import.

Submitted by:	Tony Finch <dot@dotat.at>
2001-07-04 20:16:18 +00:00
dwmalone
89aa26ba0b Make tcpwrappers use the magic in syslog.h for getting syslog facility
and level names.

Add FreeBSD tag.

PR:		24218
Approved by:	markm
2001-01-14 23:00:59 +00:00
ume
6070b584b1 - reject numeric address
- validate scope in sockaddr comparison logic

patch was originally submitted by itojun and slightly modified by me.

Reviewed by:	itojun, kris
2000-09-25 00:41:55 +00:00
ume
7478417f78 Don't touch ai_canonname without checking NULL. Current
implementation of getaddrinfo() may return NULL ai_canonname.
There is no consensus how getaddrinfo() should fill ai_canonname
when numeric hostname is given.

Reported by:	kris
2000-09-23 15:40:12 +00:00
ume
70f27cd4dd Add IPv6 scoped address support.
It enables us to control link-local connections by interface like
this:

    ALL : [fe80::%ed0]/10 : allow
    ALL : [fe80::]/10 : deny
2000-07-14 17:15:34 +00:00
dwmalone
65587821d3 Stop the tcp_wrappers ident code sending a request which is split
across several packets. This is done by not turning off buffering
on the stdio stream for the ident connection. Originally this was
done to avoid reading back what you'd just written into the buffer.
However ANSI C gives a list of functions which should allow you to
safely change direction on a stdio stream, and Wietse found that
fseek seemed to be the most portable.

The original patch used a different workaround, but this should be
a real fix.

PR:		16086
Reviewed by:	wietse@porcupine.org
(Original version) Approved by:	markm
2000-07-14 15:07:37 +00:00
shin
225d233deb Missing tcp_wrapper IPv6 support seemed to be a bug, so commit it.
Now when tcp_wrapper is enabled by inetd -wW,
  several accesses which should be permitted are refused only for IPv6,
  if hostname is used to decide the host to be allowed.
  IPv6 users will be just upset.

  About security related concern.
    -All extensions are wrapped by #ifdef INET6, so people can completely
     disable the extension by recompile libwrap without INET6 option.
    -Access via IPv6 is not enabled by default.
     People need to enable IPv6 access by changing /etc/inetd.conf at first,
     by adding tcp6 and/or tcp46 entries.
    -The base of patches are from KAME package and are actually daily used
     for more than a year in several Japanese IPv6 environments.
    -Patches are reviewed by markm.

Approved by: jkh

Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
Reviewed by: markm
Obtained from: KAME project
2000-02-03 10:27:03 +00:00
sheldonh
54fb6a7e44 Add the ``blacklist'' feature, which allows a path to a filename to
be used as a valid pattern in the access control language.

Patch obtained from ftp://ftp.porcupine.org/pub/security/ .

Requested by:	markm
1999-09-21 09:09:57 +00:00
ache
96eeae5a31 Since our inetd wrapped now, treat all its services as tcpd-prefixed
for tcpdchk
1999-04-03 04:02:29 +00:00
markm
06c148304a Clean import of TCP-wrappers by Wietse Venema.
Rest of build to follow.
1999-03-14 17:13:19 +00:00