Bug 31034 - regularly add original address logging for tcpwrappers address mismatch diagnostics
Summary: regularly add original address logging for tcpwrappers address mismatch diagn...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 4.4-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2001-10-04 12:00 UTC by Valentin Nechayev
Modified: 2018-02-02 21:01 UTC (History)
1 user (show)

See Also:

Attachments
file.diff (3.05 KB, patch)
2001-10-04 12:00 UTC, Valentin Nechayev 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Nechayev 2001-10-04 12:00:01 UTC 
When tcp_wrappers try to obtain host name for known host address, and
paranoidal or relaxed resolving failed, it only prints part of information
to find bad address, resulting in messages similar to

Oct  4 13:42:57 sivka inetd[3393]: warning: /etc/hosts.allow, line 25: can't verify hostname: getaddrinfo(eux.kiev.ua, AF_INET) failed

which only annoy and don't help to fix the problem.

Most of this warning loggings are not part of original (Venema's)
tcp_wrappers, but were added in FreeBSD during IPv6'fication.

Fix: The following patch adds wanted logging to all cases when resolving fails.
In some places it can be considered superfluous, but nobody knows what
will be really needed ;)

It supposes that sock_hostaddr() is always called before sock_hostname(),
which is true for all normal usage I hope.

As the file to patch is already FreeBSD local version, there is no
harm to add patch in contrib subdirectory.
How-To-Repeat: 
Connect from host with bad resolving.
Comment 1 Valentin Nechayev 2002-01-09 12:59:15 UTC 
I want to update the patch from original report.
Now it uses syslog(allow_severity,...) instead of tcpd_warn(), because
tcpd_warn() uses LOG_ERR always, which is quite unreasonable fixed and too
high for this problem.

--- socket.c.0	Wed Jul 11 14:47:43 2001
+++ socket.c	Wed Jan  9 12:38:59 2002
@@ -224,9 +224,9 @@
 	hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
 	if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
 	    freeaddrinfo(res0);
-	    tcpd_warn("host name/name mismatch: "
-		      "reverse lookup results in non-FQDN %s",
-		      host->name);
+	    syslog(allow_severity, "host name/name mismatch: "
+		      "reverse lookup for %s results in non-FQDN %s",
+		      host->addr, host->name);
 	    strcpy(host->name, paranoid);	/* name is bad, clobber it */
 	}
 	err = !err;
@@ -258,9 +258,11 @@
 	     * may be a transient problem or a botched name server setup.
 	     */
 
-	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
+	    syslog(allow_severity,
+		"can't verify hostname: getaddrinfo(%s, %s) failed for %s",
 		      host->name,
-		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
+		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6",
+		      host->addr);
 
 	} else if ((res0->ai_canonname == NULL
 		    || STR_NE(host->name, res0->ai_canonname))
@@ -272,9 +274,10 @@
 	     * problem. It could also be that someone is trying to spoof us.
 	     */
 
-	    tcpd_warn("host name/name mismatch: %s != %.*s",
+	    syslog(allow_severity, "host name/name mismatch: %s != %.*s, addr=%s",
 		      host->name, STRING_LENGTH,
-		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname,
+		      host->addr);
 
 	} else {
 
@@ -317,9 +320,11 @@
 
 	    getnameinfo(sin, salen, hname, sizeof(hname),
 			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
-	    tcpd_warn("host name/address mismatch: %s != %.*s",
+	    syslog(allow_severity,
+		"host name/address mismatch: %s != %.*s, origaddr=%s",
 		      hname, STRING_LENGTH,
-		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname,
+		      host->addr);
 	}
 	strcpy(host->name, paranoid);		/* name is bad, clobber it */
 	if (res0)
@@ -363,8 +368,9 @@
 	     * may be a transient problem or a botched name server setup.
 	     */
 
-	    tcpd_warn("can't verify hostname: gethostbyname(%s) failed",
-		      host->name);
+	    syslog(allow_severity,
+		"can't verify hostname: gethostbyname(%s) failed for origaddr %s",
+		      host->name, host->addr);
 
 	} else if (STR_NE(host->name, hp->h_name)
 		   && STR_NE(host->name, "localhost")) {
@@ -375,8 +381,8 @@
 	     * problem. It could also be that someone is trying to spoof us.
 	     */
 
-	    tcpd_warn("host name/name mismatch: %s != %.*s",
-		      host->name, STRING_LENGTH, hp->h_name);
+	    syslog(allow_severity, "host name/name mismatch: %s != %.*s, addr=%s",
+		      host->name, STRING_LENGTH, hp->h_name, host->addr);
 
 	} else {
 
@@ -400,8 +406,10 @@
 	     * server.
 	     */
 
-	    tcpd_warn("host name/address mismatch: %s != %.*s",
-		      inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
+	    syslog(allow_severity,
+		"host name/address mismatch: %s != %.*s, origaddr=%s",
+		      inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name,
+		      host->addr);
 	}
 	strcpy(host->name, paranoid);		/* name is bad, clobber it */
     }
Comment 2 iedowse freebsd_committer freebsd_triage 2002-12-01 18:49:23 UTC 
Responsible Changed
From-To: freebsd-bugs->dwmalone


dwmalone says he'll have a look at this.
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2012-07-10 04:41:39 UTC 
Responsible Changed
From-To: dwmalone->freebsd-bugs

over to the pool (approved by bugmeister)
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:31 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped