1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
/* $OpenBSD: tcpd.h,v 1.15 2003/06/03 21:09:00 deraadt Exp $ */
/*
* Copyright (c) 1997, Jason Downs. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* @(#) tcpd.h 1.5 96/03/19 16:22:24
*
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
#ifndef _TCPD_H_
#define _TCPD_H_
#include <sys/cdefs.h>
/* Structure to describe one communications endpoint. */
#define STRING_LENGTH 256 /* hosts, users, processes */
struct host_info {
char name[STRING_LENGTH]; /* access via eval_hostname(host) */
char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */
struct sockaddr *sin; /* socket address or 0 */
struct t_unitdata *unit; /* TLI transport address or 0 */
struct request_info *request; /* for shared information */
};
/* Structure to describe what we know about a service request. */
struct request_info {
int fd; /* socket handle */
char user[STRING_LENGTH]; /* access via eval_user(request) */
char daemon[STRING_LENGTH]; /* access via eval_daemon(request) */
char pid[10]; /* access via eval_pid(request) */
struct host_info client[1]; /* client endpoint info */
struct host_info server[1]; /* server endpoint info */
void (*sink)(int); /* datagram sink function or 0 */
void (*hostname)(struct host_info *); /* address to printable hostname */
void (*hostaddr)(struct host_info *); /* address to printable address */
void (*cleanup)(void); /* cleanup function or 0 */
struct netconfig *config; /* netdir handle */
};
/* Common string operations. Less clutter should be more readable. */
#define STRN_CPY(d,s,l) { strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
#define STRN_EQ(x,y,l) (strncasecmp((x),(y),(l)) == 0)
#define STRN_NE(x,y,l) (strncasecmp((x),(y),(l)) != 0)
#define STR_EQ(x,y) (strcasecmp((x),(y)) == 0)
#define STR_NE(x,y) (strcasecmp((x),(y)) != 0)
/*
* Initially, all above strings have the empty value. Information that
* cannot be determined at runtime is set to "unknown", so that we can
* distinguish between `unavailable' and `not yet looked up'. A hostname
* that we do not believe in is set to "paranoid".
*/
#define STRING_UNKNOWN "unknown" /* lookup failed */
#define STRING_PARANOID "paranoid" /* hostname conflict */
__BEGIN_DECLS
extern char unknown[];
extern char paranoid[];
__END_DECLS
#define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
#define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0)
/* Global functions. */
#ifdef __cplusplus
extern "C" {
#endif
#define fromhost sock_host /* no TLI support needed */
__BEGIN_DECLS
extern int hosts_access(struct request_info *);
extern int hosts_ctl(char *, char *, char *, char *);
extern void shell_cmd(char *);
extern char *percent_m(char *, char *);
extern char *percent_x(char *, int, char *, struct request_info *);
extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
extern int rfc1413(struct sockaddr *, struct sockaddr *, char *, size_t, int);
extern void clean_exit(struct request_info *);
extern void refuse(struct request_info *);
#ifdef _STDIO_H_
extern char *xgets(char *, int, FILE *);
#endif /* _STDIO_H_ */
extern char *split_at(char *, int);
extern int dot_quad_addr_new(char *, in_addr_t *);
extern in_addr_t dot_quad_addr(char *);
#ifdef __cplusplus
}
#endif
/* Global variables. */
extern int allow_severity; /* for connection logging */
extern int deny_severity; /* for connection logging */
extern char *hosts_allow_table; /* for verification mode redirection */
extern char *hosts_deny_table; /* for verification mode redirection */
extern int hosts_access_verbose; /* for verbose matching mode */
extern int rfc931_timeout; /* user lookup timeout */
extern int resident; /* > 0 if resident process */
/*
* Routines for controlled initialization and update of request structure
* attributes. Each attribute has its own key.
*/
extern struct request_info *request_init(struct request_info *, ...);
extern struct request_info *request_set(struct request_info *, ...);
#define RQ_FILE 1 /* file descriptor */
#define RQ_DAEMON 2 /* server process (argv[0]) */
#define RQ_USER 3 /* client user name */
#define RQ_CLIENT_NAME 4 /* client host name */
#define RQ_CLIENT_ADDR 5 /* client host address */
#define RQ_CLIENT_SIN 6 /* client endpoint (internal) */
#define RQ_SERVER_NAME 7 /* server host name */
#define RQ_SERVER_ADDR 8 /* server host address */
#define RQ_SERVER_SIN 9 /* server endpoint (internal) */
/*
* Routines for delayed evaluation of request attributes. Each attribute
* type has its own access method. The trivial ones are implemented by
* macros. The other ones are wrappers around the transport-specific host
* name, address, and client user lookup methods. The request_info and
* host_info structures serve as caches for the lookup results.
*/
extern char *eval_user(struct request_info *);
extern char *eval_hostname(struct host_info *);
extern char *eval_hostaddr(struct host_info *);
extern char *eval_hostinfo(struct host_info *);
extern char *eval_client(struct request_info *);
extern char *eval_server(struct request_info *);
#define eval_daemon(r) ((r)->daemon) /* daemon process name */
#define eval_pid(r) ((r)->pid) /* process id */
/* Socket-specific methods, including DNS hostname lookups. */
extern void sock_host(struct request_info *);
extern void sock_hostname(struct host_info *);
extern void sock_hostaddr(struct host_info *);
#define sock_methods(r) \
{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
/*
* Problem reporting interface. Additional file/line context is reported
* when available. The jump buffer (tcpd_buf) is not declared here, or
* everyone would have to include <setjmp.h>.
*/
extern void tcpd_warn(char *, ...)
__attribute__((__format__(__printf__, 1, 2)));
extern void tcpd_jump(char *, ...)
__attribute__((__format__(__printf__, 1, 2)));
__END_DECLS
struct tcpd_context {
char *file; /* current file */
int line; /* current line */
};
__BEGIN_DECLS
extern struct tcpd_context tcpd_context;
/*
* While processing access control rules, error conditions are handled by
* jumping back into the hosts_access() routine. This is cleaner than
* checking the return value of each and every silly little function. The
* (-1) returns are here because zero is already taken by longjmp().
*/
#define AC_PERMIT 1 /* permit access */
#define AC_DENY (-1) /* deny_access */
#define AC_ERROR AC_DENY /* XXX */
/*
* In verification mode an option function should just say what it would do,
* instead of really doing it. An option function that would not return
* should clear the dry_run flag to inform the caller of this unusual
* behavior.
*/
extern void process_options(char *, struct request_info *);
extern int dry_run; /* verification flag */
__END_DECLS
#endif /* _TCPD_H_ */
|
