2 * Copyright (C) 1995-1999 Jeffrey A. Uphoff
3 * Major rewrite by Olaf Kirch, Dec. 1996.
4 * Modified by H.J. Lu, 1998.
5 * Tighter access control, Olaf Kirch June 1999.
21 #include <arpa/inet.h>
29 #include "ha-callout.h"
31 notify_list * rtnl = NULL; /* Run-time notify list. */
34 * Reject requests from non-loopback addresses in order
35 * to prevent attack described in CERT CA-99.05.
37 * Although the kernel contacts the statd service via only IPv4
38 * transports, the statd service can receive other requests, such
39 * as SM_NOTIFY, from remote peers via IPv6.
42 caller_is_localhost(struct svc_req *rqstp)
44 struct sockaddr *sap = nfs_getrpccaller(rqstp->rq_xprt);
45 char buf[INET6_ADDRSTRLEN];
47 if (!nfs_is_v4_loopback(sap))
52 if (!statd_present_address(sap, buf, sizeof(buf)))
54 xlog_warn("SM_MON/SM_UNMON call from non-local host %s", buf);
59 * Services SM_MON requests.
62 sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp)
64 static sm_stat_res result;
65 char *mon_name = argp->mon_id.mon_name,
66 *my_name = argp->mon_id.my_id.my_name;
67 struct my_id *id = &argp->mon_id.my_id;
70 struct sockaddr_in my_addr = {
71 .sin_family = AF_INET,
72 .sin_addr.s_addr = htonl(INADDR_LOOPBACK),
75 struct hostent *hostinfo = NULL;
77 xlog(D_CALL, "Received SM_MON for %s from %s", mon_name, my_name);
79 /* Assume that we'll fail. */
80 result.res_stat = STAT_FAIL;
81 result.state = -1; /* State is undefined for STAT_FAIL. */
83 /* 1. Reject any remote callers.
84 * Ignore the my_name specified by the caller, and
85 * use "127.0.0.1" instead.
87 if (!caller_is_localhost(rqstp))
90 /* 2. Reject any registrations for non-lockd services.
92 * This is specific to the linux kernel lockd, which
93 * makes the callback procedure part of the lockd interface.
94 * It is also prone to break when lockd changes its callback
95 * procedure number -- which, in fact, has now happened once.
96 * There must be a better way.... XXX FIXME
98 if (id->my_prog != 100021 ||
99 (id->my_proc != 16 && id->my_proc != 24))
101 xlog_warn("Attempt to register callback to %d/%d",
102 id->my_prog, id->my_proc);
107 * Check hostnames. If I can't look them up, I won't monitor. This
108 * might not be legal, but it adds a little bit of safety and sanity.
111 /* must check for /'s in hostname! See CERT's CA-96.09 for details. */
112 if (strchr(mon_name, '/') || mon_name[0] == '.') {
113 xlog(L_ERROR, "SM_MON request for hostname containing '/' "
114 "or starting '.': %s", mon_name);
115 xlog(L_ERROR, "POSSIBLE SPOOF/ATTACK ATTEMPT!");
117 } else if ((hostinfo = gethostbyname(mon_name)) == NULL) {
118 xlog_warn("gethostbyname error for %s", mon_name);
122 /* my_name must not have white space */
123 for (cp=my_name ; *cp ; cp++)
124 if (*cp == ' ' || *cp == '\t' || *cp == '\r' || *cp == '\n')
128 * Hostnames checked OK.
129 * Now choose a hostname to use for matching. We cannot
130 * really trust much in the incoming NOTIFY, so to make
131 * sure that multi-homed hosts work nicely, we get an
132 * FQDN now, and use that for matching
134 hostinfo = gethostbyaddr(hostinfo->h_addr,
136 hostinfo->h_addrtype);
138 dnsname = xstrdup(hostinfo->h_name);
140 dnsname = xstrdup(my_name);
142 /* Now check to see if this is a duplicate, and warn if so.
143 * I will also return STAT_FAIL. (I *think* this is how I should
146 * Olaf requests that I allow duplicate SM_MON requests for
147 * hosts due to the way he is coding lockd. No problem,
148 * I'll just do a quickie success return and things should
153 while ((clnt = nlist_gethost(clnt, mon_name, 0))) {
154 if (statd_matchhostname(NL_MY_NAME(clnt), my_name) &&
155 NL_MY_PROC(clnt) == id->my_proc &&
156 NL_MY_PROG(clnt) == id->my_prog &&
157 NL_MY_VERS(clnt) == id->my_vers &&
158 memcmp(NL_PRIV(clnt), argp->priv, SM_PRIV_SIZE) == 0) {
159 /* Hey! We already know you guys! */
161 "Duplicate SM_MON request for %s "
162 "from procedure on %s",
165 /* But we'll let you pass anyway. */
168 clnt = NL_NEXT(clnt);
172 * We're committed...ignoring errors. Let's hope that a malloc()
173 * doesn't fail. (I should probably fix this assumption.)
175 if (!(clnt = nlist_new(my_name, mon_name, 0))) {
176 xlog_warn("out of memory");
180 NL_ADDR(clnt) = my_addr.sin_addr;
181 NL_MY_PROG(clnt) = id->my_prog;
182 NL_MY_VERS(clnt) = id->my_vers;
183 NL_MY_PROC(clnt) = id->my_proc;
184 memcpy(NL_PRIV(clnt), argp->priv, SM_PRIV_SIZE);
185 clnt->dns_name = dnsname;
188 * Now, Create file on stable storage for host.
190 if (!nsm_insert_monitored_host(dnsname,
191 (struct sockaddr *)(char *)&my_addr, argp)) {
192 nlist_free(NULL, clnt);
196 /* PRC: do the HA callout: */
197 ha_callout("add-client", mon_name, my_name, -1);
198 nlist_insert(&rtnl, clnt);
199 xlog(D_GENERAL, "MONITORING %s for %s", mon_name, my_name);
201 result.res_stat = STAT_SUCC;
202 /* SUN's sm_inter.x says this should be "state number of local site".
203 * X/Open says '"state" will be contain the state of the remote NSM.'
204 * href=http://www.opengroup.org/onlinepubs/9629799/SM_MON.htm
205 * Linux lockd currently (2.6.21 and prior) ignores whatever is
206 * returned, and given the above contraction, it probably always will..
207 * So we just return what we always returned. If possible, we
208 * have already told lockd about our state number via a sysctl.
209 * If lockd wants the remote state, it will need to
210 * use SM_STAT (and prayer).
212 result.state = MY_STATE;
216 xlog_warn("STAT_FAIL to %s for SM_MON of %s", my_name, mon_name);
221 load_one_host(const char *hostname, const struct sockaddr *sap,
223 __attribute__ ((unused)) const time_t timestamp)
225 const struct sockaddr_in *sin = (const struct sockaddr_in *)sap;
228 clnt = nlist_new(m->mon_id.my_id.my_name,
229 m->mon_id.mon_name, 0);
233 clnt->dns_name = strdup(hostname);
234 if (clnt->dns_name == NULL) {
235 nlist_free(NULL, clnt);
239 xlog(D_GENERAL, "Adding record for %s to the monitor list...",
242 NL_ADDR(clnt) = sin->sin_addr;
243 NL_MY_PROG(clnt) = m->mon_id.my_id.my_prog;
244 NL_MY_VERS(clnt) = m->mon_id.my_id.my_vers;
245 NL_MY_PROC(clnt) = m->mon_id.my_id.my_proc;
246 memcpy(NL_PRIV(clnt), m->priv, SM_PRIV_SIZE);
248 nlist_insert(&rtnl, clnt);
252 void load_state(void)
256 count = nsm_load_monitor_list(load_one_host);
258 xlog(D_GENERAL, "Loaded %u previously monitored hosts");
262 * Services SM_UNMON requests.
264 * There is no statement in the X/Open spec's about returning an error
265 * for requests to unmonitor a host that we're *not* monitoring. I just
266 * return the state of the NSM when I get such foolish requests for lack
267 * of any better ideas. (I also log the "offense.")
270 sm_unmon_1_svc(struct mon_id *argp, struct svc_req *rqstp)
272 static sm_stat result;
274 char *mon_name = argp->mon_name,
275 *my_name = argp->my_id.my_name;
276 struct my_id *id = &argp->my_id;
279 xlog(D_CALL, "Received SM_UNMON for %s from %s", mon_name, my_name);
281 result.state = MY_STATE;
283 if (!caller_is_localhost(rqstp))
286 /* my_name must not have white space */
287 for (cp=my_name ; *cp ; cp++)
288 if (*cp == ' ' || *cp == '\t' || *cp == '\r' || *cp == '\n')
292 /* Check if we're monitoring anyone. */
294 xlog_warn("Received SM_UNMON request from %s for %s while not "
295 "monitoring any hosts", my_name, argp->mon_name);
301 * OK, we are. Now look for appropriate entry in run-time list.
302 * There should only be *one* match on this, since I block "duplicate"
303 * SM_MON calls. (Actually, duplicate calls are allowed, but only one
304 * entry winds up in the list the way I'm currently handling them.)
306 while ((clnt = nlist_gethost(clnt, mon_name, 0))) {
307 if (statd_matchhostname(NL_MY_NAME(clnt), my_name) &&
308 NL_MY_PROC(clnt) == id->my_proc &&
309 NL_MY_PROG(clnt) == id->my_prog &&
310 NL_MY_VERS(clnt) == id->my_vers) {
312 xlog(D_GENERAL, "UNMONITORING %s for %s",
315 /* PRC: do the HA callout: */
316 ha_callout("del-client", mon_name, my_name, -1);
318 nsm_delete_monitored_host(clnt->dns_name);
319 nlist_free(&rtnl, clnt);
323 clnt = NL_NEXT(clnt);
327 xlog_warn("Received erroneous SM_UNMON request from %s for %s",
334 sm_unmon_all_1_svc(struct my_id *argp, struct svc_req *rqstp)
337 static sm_stat result;
339 char *my_name = argp->my_name;
341 xlog(D_CALL, "Received SM_UNMON_ALL for %s", my_name);
343 if (!caller_is_localhost(rqstp))
346 result.state = MY_STATE;
349 xlog_warn("Received SM_UNMON_ALL request from %s "
350 "while not monitoring any hosts", my_name);
355 while ((clnt = nlist_gethost(clnt, my_name, 1))) {
356 if (NL_MY_PROC(clnt) == argp->my_proc &&
357 NL_MY_PROG(clnt) == argp->my_prog &&
358 NL_MY_VERS(clnt) == argp->my_vers) {
360 char mon_name[SM_MAXSTRLEN + 1];
364 "UNMONITORING (SM_UNMON_ALL) %s for %s",
365 NL_MON_NAME(clnt), NL_MY_NAME(clnt));
366 strncpy(mon_name, NL_MON_NAME(clnt),
367 sizeof (mon_name) - 1);
368 mon_name[sizeof (mon_name) - 1] = '\0';
369 temp = NL_NEXT(clnt);
370 /* PRC: do the HA callout: */
371 ha_callout("del-client", mon_name, my_name, -1);
372 nsm_delete_monitored_host(clnt->dns_name);
373 nlist_free(&rtnl, clnt);
377 clnt = NL_NEXT(clnt);
381 xlog(D_GENERAL, "SM_UNMON_ALL request from %s with no "
382 "SM_MON requests from it", my_name);