When tcp_wrappers try to obtain host name for known host address, and paranoidal or relaxed resolving failed, it only prints part of information to find bad address, resulting in messages similar to Oct 4 13:42:57 sivka inetd[3393]: warning: /etc/hosts.allow, line 25: can't verify hostname: getaddrinfo(eux.kiev.ua, AF_INET) failed which only annoy and don't help to fix the problem. Most of this warning loggings are not part of original (Venema's) tcp_wrappers, but were added in FreeBSD during IPv6'fication. Fix: The following patch adds wanted logging to all cases when resolving fails. In some places it can be considered superfluous, but nobody knows what will be really needed ;) It supposes that sock_hostaddr() is always called before sock_hostname(), which is true for all normal usage I hope. As the file to patch is already FreeBSD local version, there is no harm to add patch in contrib subdirectory. How-To-Repeat: Connect from host with bad resolving.
I want to update the patch from original report. Now it uses syslog(allow_severity,...) instead of tcpd_warn(), because tcpd_warn() uses LOG_ERR always, which is quite unreasonable fixed and too high for this problem. --- socket.c.0 Wed Jul 11 14:47:43 2001 +++ socket.c Wed Jan 9 12:38:59 2002 @@ -224,9 +224,9 @@ hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) { freeaddrinfo(res0); - tcpd_warn("host name/name mismatch: " - "reverse lookup results in non-FQDN %s", - host->name); + syslog(allow_severity, "host name/name mismatch: " + "reverse lookup for %s results in non-FQDN %s", + host->addr, host->name); strcpy(host->name, paranoid); /* name is bad, clobber it */ } err = !err; @@ -258,9 +258,11 @@ * may be a transient problem or a botched name server setup. */ - tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed", + syslog(allow_severity, + "can't verify hostname: getaddrinfo(%s, %s) failed for %s", host->name, - (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); + (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6", + host->addr); } else if ((res0->ai_canonname == NULL || STR_NE(host->name, res0->ai_canonname)) @@ -272,9 +274,10 @@ * problem. It could also be that someone is trying to spoof us. */ - tcpd_warn("host name/name mismatch: %s != %.*s", + syslog(allow_severity, "host name/name mismatch: %s != %.*s, addr=%s", host->name, STRING_LENGTH, - (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname, + host->addr); } else { @@ -317,9 +320,11 @@ getnameinfo(sin, salen, hname, sizeof(hname), NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); - tcpd_warn("host name/address mismatch: %s != %.*s", + syslog(allow_severity, + "host name/address mismatch: %s != %.*s, origaddr=%s", hname, STRING_LENGTH, - (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname, + host->addr); } strcpy(host->name, paranoid); /* name is bad, clobber it */ if (res0) @@ -363,8 +368,9 @@ * may be a transient problem or a botched name server setup. */ - tcpd_warn("can't verify hostname: gethostbyname(%s) failed", - host->name); + syslog(allow_severity, + "can't verify hostname: gethostbyname(%s) failed for origaddr %s", + host->name, host->addr); } else if (STR_NE(host->name, hp->h_name) && STR_NE(host->name, "localhost")) { @@ -375,8 +381,8 @@ * problem. It could also be that someone is trying to spoof us. */ - tcpd_warn("host name/name mismatch: %s != %.*s", - host->name, STRING_LENGTH, hp->h_name); + syslog(allow_severity, "host name/name mismatch: %s != %.*s, addr=%s", + host->name, STRING_LENGTH, hp->h_name, host->addr); } else { @@ -400,8 +406,10 @@ * server. */ - tcpd_warn("host name/address mismatch: %s != %.*s", - inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name); + syslog(allow_severity, + "host name/address mismatch: %s != %.*s, origaddr=%s", + inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name, + host->addr); } strcpy(host->name, paranoid); /* name is bad, clobber it */ }
Responsible Changed From-To: freebsd-bugs->dwmalone dwmalone says he'll have a look at this.
Responsible Changed From-To: dwmalone->freebsd-bugs over to the pool (approved by bugmeister)
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped