X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fmountd%2Fauth.c;h=5a7ff8cd0fb81239eb5b717db3749bc7a665f196;hp=f968b07f906317642a4d438e8b40f7f8b653ee22;hb=9ccfe0fa5a43dfc4453b09e328565a6c8f999fe4;hpb=5272be95bf48cb4e9f8579105a79522e88b695f4 diff --git a/utils/mountd/auth.c b/utils/mountd/auth.c index f968b07..5a7ff8c 100644 --- a/utils/mountd/auth.c +++ b/utils/mountd/auth.c @@ -6,12 +6,15 @@ * Copyright (C) 1995, 1996 Olaf Kirch */ -#include "config.h" +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include #include +#include #include "misc.h" #include "nfslib.h" #include "exportfs.h" @@ -30,8 +33,11 @@ enum auth_error static void auth_fixpath(char *path); static char *export_file = NULL; +static nfs_export my_exp; +static nfs_client my_client; extern int new_cache; +extern int use_ipaddr; void auth_init(char *exports) @@ -42,23 +48,63 @@ auth_init(char *exports) xtab_mount_write(); } -int +/* + * A client can match many different netgroups and it's tough to know + * beforehand whether it will. If the concatenated string of netgroup + * m_hostnames is >512 bytes, then enable the "use_ipaddr" mode. This + * makes mountd change how it matches a client ip address when a mount + * request comes in. It's more efficient at handling netgroups at the + * expense of larger kernel caches. + */ +static void +check_useipaddr(void) +{ + nfs_client *clp; + int old_use_ipaddr = use_ipaddr; + unsigned int len = 0; + + /* add length of m_hostname + 1 for the comma */ + for (clp = clientlist[MCL_NETGROUP]; clp; clp = clp->m_next) + len += (strlen(clp->m_hostname) + 1); + + if (len > (NFSCLNT_IDMAX / 2)) + use_ipaddr = 1; + else + use_ipaddr = 0; + + if (use_ipaddr != old_use_ipaddr) + cache_flush(1); +} + +unsigned int auth_reload() { struct stat stb; - static time_t last_modified = 0; - - if (stat(_PATH_ETAB, &stb) < 0) + static ino_t last_inode; + static int last_fd; + static unsigned int counter; + int fd; + + if ((fd = open(_PATH_ETAB, O_RDONLY)) < 0) { + xlog(L_FATAL, "couldn't open %s", _PATH_ETAB); + } else if (fstat(fd, &stb) < 0) { xlog(L_FATAL, "couldn't stat %s", _PATH_ETAB); - if (stb.st_mtime == last_modified) - return 0; - last_modified = stb.st_mtime; + } else if (stb.st_ino == last_inode) { + close(fd); + return counter; + } else { + close(last_fd); + last_fd = fd; + last_inode = stb.st_ino; + } export_freeall(); - // export_read(export_file); + memset(&my_client, 0, sizeof(my_client)); xtab_export_read(); + check_useipaddr(); + ++counter; - return 1; + return counter; } static nfs_export * @@ -69,33 +115,40 @@ auth_authenticate_internal(char *what, struct sockaddr_in *caller, nfs_export *exp; if (new_cache) { - static nfs_export my_exp; - static nfs_client my_client; int i; /* return static nfs_export with details filled in */ - if (my_client.m_naddr != 1 || - my_client.m_addrlist[0].s_addr != caller->sin_addr.s_addr) { - /* different client to last time, so do a lookup */ - char *n; - my_client.m_naddr = 0; - my_client.m_addrlist[0] = caller->sin_addr; - n = client_compose(caller->sin_addr); + char *n; + free(my_client.m_hostname); + if (use_ipaddr) { + my_client.m_hostname = + strdup(inet_ntoa(caller->sin_addr)); + } else { + n = client_compose(hp); + *error = unknown_host; if (!n) - return NULL; - strcpy(my_client.m_hostname, *n?n:"DEFAULT"); - free(n); - my_client.m_naddr = 1; + my_client.m_hostname = NULL; + else if (*n) + my_client.m_hostname = n; + else { + free(n); + my_client.m_hostname = strdup("DEFAULT"); + } } - + if (my_client.m_hostname == NULL) + return NULL; + my_client.m_naddr = 1; + my_client.m_addrlist[0] = caller->sin_addr; my_exp.m_client = &my_client; exp = NULL; for (i = 0; !exp && i < MCL_MAXTYPES; i++) - for (exp = exportlist[i]; exp; exp = exp->m_next) { - if (!client_member(my_client.m_hostname, exp->m_client->m_hostname)) - continue; + for (exp = exportlist[i].p_head; exp; exp = exp->m_next) { if (strcmp(path, exp->m_export.e_path)) continue; + if (!use_ipaddr && !client_member(my_client.m_hostname, exp->m_client->m_hostname)) + continue; + if (use_ipaddr && !client_check(exp->m_client, hp)) + continue; break; } *error = not_exported; @@ -116,8 +169,7 @@ auth_authenticate_internal(char *what, struct sockaddr_in *caller, } } if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) && - (ntohs(caller->sin_port) < IPPORT_RESERVED/2 || - ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + ntohs(caller->sin_port) >= IPPORT_RESERVED) { *error = illegal_port; return NULL; } @@ -134,7 +186,7 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path) char *p = NULL; struct hostent *hp = NULL; struct in_addr addr = caller->sin_addr; - enum auth_error error; + enum auth_error error = bad_path; if (path [0] != '/') { xlog(L_WARNING, "bad path in %s request from %s: \"%s\"", @@ -146,11 +198,7 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path) epath[sizeof (epath) - 1] = '\0'; auth_fixpath(epath); /* strip duplicate '/' etc */ - hp = get_reliable_hostbyaddr((const char*)&caller->sin_addr, sizeof(struct in_addr), - AF_INET); - if (!hp) - hp = get_hostent((const char*)&caller->sin_addr, sizeof(struct in_addr), - AF_INET); + hp = client_resolve(caller->sin_addr); if (!hp) return exp; @@ -166,7 +214,6 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path) if (p == epath) p++; *p = '\0'; } - free(hp); switch (error) { case bad_path: @@ -175,7 +222,7 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path) break; case unknown_host: - xlog(L_WARNING, "%s request from unknown host %s for %s (%s)", + xlog(L_WARNING, "refused %s request from %s for %s (%s): unmatched host", what, inet_ntoa(addr), path, epath); break;