[opensuse-factory] Still a problem -- libwrap doesn't work properly on ipv4-only kernel
I reported this a while back and people thought it might be the dns server's issue, but looking at the code the problem is that the patched version of tcpd.c that enables it to work for ipv6, DISABLES it working for ipv4. Does anyone know who is responsible for the tcp_wrappers/libwrap/tcpd package? I had to turn off full checking in tcpd and set it for 'warn only', (if it checked instead of warn'ed it would lock me out). The warning / problem message look like: May 23 15:34:56 Ishtar sshd[39364]: warning: /etc/hosts.allow, line 63: host name mismatch: Athenae != (null) (::ffff:192.168.4.12) Athenae didn't have an ipv6 addr because the server has no ipv6 interfaces. tcpd was setup to only query for dns on ipv6... Now can login with no warnings, but I don't have an ipv6 to immediately test this on. But the same binary should work now for both ipv4 and ipv6 enabled kernels. I check for presence of /proc/sys/net/ipv6 . If it exists, I use the ipv6 code path else use the ipv4 code path. I did verify if I manually set the flag to ipv6 mode, I got the warning again as before, but in the mode where it tests for the proc dir existence, I don't. Attached is a diff against lastest factory source that should fix the problem If the maintainer could look it over and give it a run on an ipv6 enabled machine, and either include in suse's product, or better, feed it back upstream (it was looking at the source changes upstream that gave me the idea that they'd done a quick ipv6 job) that's be great..? It was a quick job, but I think I have confidence enough in it to submit it here. Can it be integrated if it is ok? It fixes a long outstanding problem in the tcpd code...
Oops... patch had a white-space issue... This should look better
В Thu, 23 May 2013 16:31:37 -0700 Linda Walsh <suse@tlinx.org> пишет:
Oops... patch had a white-space issue...
This should look better
It does not. It has large amount of white-space only changes which makes it hard to review. To start with
@@ -66,10 +83,10 @@ } else { sprintf(dot_name, "%s.", name); hp = gethostbyname(dot_name); - if (hp) - return hp; - else - return (gethostbyname(name)); + if (hp) + return hp; + else + return (gethostbyname(name)); } }
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andrey Borzenkov wrote:
В Thu, 23 May 2013 16:31:37 -0700 Linda Walsh <suse@tlinx.org> пишет:
Oops... patch had a white-space issue...
This should look better
It does not. It has large amount of white-space only changes which makes it hard to review. To start with
@@ -66,10 +83,10 @@ } else { sprintf(dot_name, "%s.", name); hp = gethostbyname(dot_name); - if (hp) - return hp; - else - return (gethostbyname(name)); + if (hp) + return hp; + else + return (gethostbyname(name)); } }
The ones that are left are because the code is indent more. The previous code uses #ifdef and doesn't indent for them. Since #ifdef toggled off ipv4 or ipv6, it was removed and replaced runtime options that take the ipv4 path if the /proc/sys/net/ipv6 directory isn't on your system (i.e. your system doesn't have ipv6 installed). The white space issue caused a difference on every line and generated a 13k diff. Removing the entabulation left the lines that were changed due to the code changing. If you find a patch difficult to review, I've found it is easiest to apply it on a test copy then use a tool like mgdiff to see things side by side. If white space is an issue, use the form "mgdiff -args -b <file1> <file2>. mgdiff uses that to tell diff to ignore all white space changes. I tend to be visual myself, and seeing them side-by-side makes it easier. It's not the most complicated code or changeset to follow...as it was only making both code paths live side-by-side, "all friendly like", and having some small amount of arbitration code to "do the right thing"... Honestly, I'd thought the problem would have been fixed by now, but guess most people have an ipv6 stack installed even though most people have no use for it (my ISP doesn't support it yet, so not really an option, and locally, it just adds problems -- like the one that had people routing ipv4 -> ipv4 through an ipv6 layer encapsulated in ipv4 -- just to have packets going in and out using ipv6. A few-several months back, some network committee said that was bad practice -- that if there was an ipv4 route between two points it not only made no sense to use ipv6 over ipv4 but was creating inefficiencies and overhead. I found that out years back when I even had my DNS config'ed w/IPv6... everything was slower -- because the default was always to try ipv6 first -- which may be good someday... but not quite yet... Hope the mgdiff viewer helps.. its about the best out there (which isn't saying alot given the lack of options)...but it does get the job done. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Andrey Borzenkov -
Linda Walsh