From fe45888e228d1452b8301b3b074794bd443a7fa5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 24 Sep 2004 03:34:55 +0000 Subject: r2581: added "hosts allow" and "hosts deny" checking in smbd. I needed this as my box keeps getting hit by viruses spreading on my companies internal network, which screws up my debug log badly (sigh). metze, I'm not sure if you think access.c should go in the socket library or not. It is closely tied to the socket functions, but you may prefer it separate. The access.c code is a port from Samba3, but with some cleanups to make it (slighly) less ugly. (This used to be commit 058b2fd99e3957d7d2a9544fd27071f1122eab68) --- source4/lib/socket/access.c | 353 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 353 insertions(+) create mode 100644 source4/lib/socket/access.c (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c new file mode 100644 index 0000000000..f33f8d56b1 --- /dev/null +++ b/source4/lib/socket/access.c @@ -0,0 +1,353 @@ +/* + Unix SMB/CIFS implementation. + + check access rules for socket connections + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + + +/* + This module is an adaption of code from the tcpd-1.4 package written + by Wietse Venema, Eindhoven University of Technology, The Netherlands. + + The code is used here with permission. + + The code has been considerably changed from the original. Bug reports + should be sent to samba@samba.org +*/ + +#include "includes.h" + +#define FAIL (-1) +#define ALLONES ((uint32_t)0xFFFFFFFF) + +/* masked_match - match address against netnumber/netmask */ +static BOOL masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s) +{ + uint32_t net; + uint32_t mask; + uint32_t addr; + char *tok_cpy; + + if ((addr = interpret_addr(s)) == INADDR_NONE) + return False; + + tok_cpy = talloc_strdup(mem_ctx, tok); + tok_cpy[PTR_DIFF(slash,tok)] = '\0'; + net = interpret_addr(tok_cpy); + talloc_free(tok_cpy); + + if (strlen(slash + 1) > 2) { + mask = interpret_addr(slash + 1); + } else { + mask = (uint32_t)((ALLONES >> atoi(slash + 1)) ^ ALLONES); + /* convert to network byte order */ + mask = htonl(mask); + } + + if (net == INADDR_NONE || mask == INADDR_NONE) { + DEBUG(0,("access: bad net/mask access control: %s\n", tok)); + return False; + } + + return (addr & mask) == (net & mask); +} + +/* string_match - match string against token */ +static BOOL string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char) +{ + size_t tok_len; + size_t str_len; + const char *cut; + + *invalid_char = '\0'; + + /* Return True if a token has the magic value "ALL". Return + * FAIL if the token is "FAIL". If the token starts with a "." + * (domain name), return True if it matches the last fields of + * the string. If the token has the magic value "LOCAL", + * return True if the string does not contain a "." + * character. If the token ends on a "." (network number), + * return True if it matches the first fields of the + * string. If the token begins with a "@" (netgroup name), + * return True if the string is a (host) member of the + * netgroup. Return True if the token fully matches the + * string. If the token is a netnumber/netmask pair, return + * True if the address is a member of the specified subnet. + */ + + if (tok[0] == '.') { /* domain: match last fields */ + if ((str_len = strlen(s)) > (tok_len = strlen(tok)) + && strcasecmp(tok, s + str_len - tok_len)==0) { + return True; + } + } else if (tok[0] == '@') { /* netgroup: look it up */ + DEBUG(0,("access: netgroup support is not available\n")); + return False; + } else if (strcmp(tok, "ALL")==0) { /* all: match any */ + return True; + } else if (strcmp(tok, "FAIL")==0) { /* fail: match any */ + return FAIL; + } else if (strcmp(tok, "LOCAL")==0) { /* local: no dots */ + if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) { + return True; + } + } else if (strcasecmp(tok, s)==0) { /* match host name or address */ + return True; + } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ + if (strncmp(tok, s, tok_len) == 0) + return True; + } else if ((cut = strchr(tok, '/')) != 0) { /* netnumber/netmask */ + if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s)) + return True; + } else if (strchr(tok, '*') != 0) { + *invalid_char = '*'; + } else if (strchr(tok, '?') != 0) { + *invalid_char = '?'; + } + return False; +} + +struct client_addr { + const char *cname; + const char *caddr; +}; + +/* client_match - match host name and address against token */ +static BOOL client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client) +{ + BOOL match; + char invalid_char = '\0'; + + /* + * Try to match the address first. If that fails, try to match the host + * name if available. + */ + + if ((match = string_match(mem_ctx, tok, client->caddr, &invalid_char)) == 0) { + if(invalid_char) + DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ +token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); + + if (client->cname[0] != 0) + match = string_match(mem_ctx, tok, client->cname, &invalid_char); + + if(invalid_char) + DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ +token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); + } + + return (match); +} + +/* list_match - match an item against a list of tokens with exceptions */ +static BOOL list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client) +{ + BOOL match = False; + + if (!list) + return False; + + /* + * Process tokens one at a time. We have exhausted all possible matches + * when we reach an "EXCEPT" token or the end of the list. If we do find + * a match, look for an "EXCEPT" list and recurse to determine whether + * the match is affected by any exceptions. + */ + + for (; *list ; list++) { + if (strcmp(*list, "EXCEPT")==0) /* EXCEPT: give up */ + break; + if ((match = client_match(mem_ctx, *list, client))) /* True or FAIL */ + break; + } + + /* Process exceptions to True or FAIL matches. */ + if (match != False) { + while (*list && strcmp(*list, "EXCEPT")!=0) + list++; + + for (; *list; list++) { + if (client_match(mem_ctx, *list, client)) /* Exception Found */ + return False; + } + } + + return match; +} + +/* return true if access should be allowed */ +static BOOL allow_access_internal(TALLOC_CTX *mem_ctx, + const char **deny_list,const char **allow_list, + const char *cname, const char *caddr) +{ + struct client_addr client; + + client.cname = cname; + client.caddr = caddr; + + /* if it is loopback then always allow unless specifically denied */ + if (strcmp(caddr, "127.0.0.1") == 0) { + /* + * If 127.0.0.1 matches both allow and deny then allow. + * Patch from Steve Langasek vorlon@netexpress.net. + */ + if (deny_list && + list_match(mem_ctx, deny_list, &client) && + (!allow_list || + !list_match(mem_ctx, allow_list, &client))) { + return False; + } + return True; + } + + /* if theres no deny list and no allow list then allow access */ + if ((!deny_list || *deny_list == 0) && + (!allow_list || *allow_list == 0)) { + return True; + } + + /* if there is an allow list but no deny list then allow only hosts + on the allow list */ + if (!deny_list || *deny_list == 0) + return list_match(mem_ctx, allow_list, &client); + + /* if theres a deny list but no allow list then allow + all hosts not on the deny list */ + if (!allow_list || *allow_list == 0) + return !list_match(mem_ctx, deny_list, &client); + + /* if there are both types of list then allow all hosts on the + allow list */ + if (list_match(mem_ctx, allow_list, &client)) + return True; + + /* if there are both types of list and it's not on the allow then + allow it if its not on the deny */ + if (list_match(mem_ctx, deny_list, &client)) + return False; + + return True; +} + +/* return true if access should be allowed */ +static BOOL allow_access(TALLOC_CTX *mem_ctx, + const char **deny_list, const char **allow_list, + const char *cname, const char *caddr) +{ + BOOL ret; + char *nc_cname = talloc_strdup(mem_ctx, cname); + char *nc_caddr = talloc_strdup(mem_ctx, caddr); + + if (!nc_cname || !nc_caddr) { + return False; + } + + ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr); + + talloc_free(nc_cname); + talloc_free(nc_caddr); + + return ret; +} + +/* return true if the char* contains ip addrs only. Used to avoid +gethostbyaddr() calls */ + +static BOOL only_ipaddrs_in_list(const char** list) +{ + BOOL only_ip = True; + + if (!list) + return True; + + for (; *list ; list++) { + /* factor out the special strings */ + if (strcmp(*list, "ALL")==0 || + strcmp(*list, "FAIL")==0 || + strcmp(*list, "EXCEPT")==0) { + continue; + } + + if (!is_ipaddress(*list)) { + /* + * if we failed, make sure that it was not because the token + * was a network/netmask pair. Only network/netmask pairs + * have a '/' in them + */ + if ((strchr(*list, '/')) == NULL) { + only_ip = False; + DEBUG(3,("only_ipaddrs_in_list: list has non-ip address (%s)\n", *list)); + break; + } + } + } + + return only_ip; +} + +/* return true if access should be allowed to a service for a socket */ +BOOL socket_check_access(struct socket_context *sock, + const char *service_name, + const char **allow_list, const char **deny_list) +{ + BOOL ret; + const char *name="", *addr; + TALLOC_CTX *mem_ctx; + + if ((!deny_list || *deny_list==0) && + (!allow_list || *allow_list==0)) { + return True; + } + + mem_ctx = talloc_init("socket_check_access"); + if (!mem_ctx) { + return False; + } + + addr = socket_get_peer_addr(sock, mem_ctx); + + /* bypass gethostbyaddr() calls if the lists only contain IP addrs */ + if (!only_ipaddrs_in_list(allow_list) || + !only_ipaddrs_in_list(deny_list)) { + name = socket_get_peer_name(sock, mem_ctx); + if (!name) { + name = addr; + } + } + + if (!addr) { + DEBUG(0,("socket_check_access: Denied connection from unknown host\n")); + talloc_free(mem_ctx); + return False; + } + + ret = allow_access(mem_ctx, deny_list, allow_list, name, addr); + + if (ret) { + DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n", + service_name, name, addr)); + } else { + DEBUG(0,("socket_check_access: Denied connection to '%s' from %s (%s)\n", + service_name, name, addr)); + } + + talloc_free(mem_ctx); + + return ret; +} -- cgit From 284349482f5293a9a23d0f72d7c2aab46b55843b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 1 Nov 2004 22:48:25 +0000 Subject: r3443: the next stage in the include files re-organisation. I have created the include/system/ directory, which will contain the wrappers for the system includes for logical subsystems. So far I have created include/system/kerberos.h and include/system/network.h, which contain all the system includes for kerberos code and networking code. These are the included in subsystems that need kerberos or networking respectively. Note that this method avoids the mess of #ifdef HAVE_XXX_H in every C file, instead each C module includes the include/system/XXX.h file for the logical system support it needs, and the details are kept isolated in include/system/ This patch also creates a "struct ipv4_addr" which replaces "struct in_addr" in our code. That avoids every C file needing to import all the system networking headers. (This used to be commit 2e25c71853f8996f73755277e448e7d670810349) --- source4/lib/socket/access.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index f33f8d56b1..f5093177dd 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -32,6 +32,7 @@ */ #include "includes.h" +#include "system/network.h" #define FAIL (-1) #define ALLONES ((uint32_t)0xFFFFFFFF) -- cgit From 26c6b4c70bd85d8030a96651f2a255a4d48fcda1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 2 Nov 2004 01:42:45 +0000 Subject: r3449: more include file reduction the ldb part isn't ideal, I will have to think of a better solution (This used to be commit 6b1f86aea8427a8e957b1aeb0ec2f507297f07cb) --- source4/lib/socket/access.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index f5093177dd..c90bf203dd 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -33,6 +33,7 @@ #include "includes.h" #include "system/network.h" +#include "system/iconv.h" #define FAIL (-1) #define ALLONES ((uint32_t)0xFFFFFFFF) -- cgit From bed7c9ec32b7d4083ba4ed2abbf3b6126bee7a25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 10 Feb 2005 06:59:29 +0000 Subject: r5304: removed lib/socket/socket.h from includes.h (This used to be commit b902ea546d2d1327b23f40ddaeeaa8e7e3662454) --- source4/lib/socket/access.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index c90bf203dd..a64444d41c 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -34,6 +34,7 @@ #include "includes.h" #include "system/network.h" #include "system/iconv.h" +#include "lib/socket/socket.h" #define FAIL (-1) #define ALLONES ((uint32_t)0xFFFFFFFF) -- cgit From 37bc6b5f813d5c2ace7486a38331748dd86f121d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 6 Jan 2006 00:46:35 +0000 Subject: r12728: Revive testparm. It needs work to not dump defaults from loadparm.c, but otherwise it works. Andrew Bartlett (This used to be commit 1260fcf46579d708a406625f548add9be9fdc6fb) --- source4/lib/socket/access.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index a64444d41c..1d0a90f1ee 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -249,9 +249,9 @@ static BOOL allow_access_internal(TALLOC_CTX *mem_ctx, } /* return true if access should be allowed */ -static BOOL allow_access(TALLOC_CTX *mem_ctx, - const char **deny_list, const char **allow_list, - const char *cname, const char *caddr) +BOOL allow_access(TALLOC_CTX *mem_ctx, + const char **deny_list, const char **allow_list, + const char *cname, const char *caddr) { BOOL ret; char *nc_cname = talloc_strdup(mem_ctx, cname); -- cgit From f55ea8bb3dca868e21663cd90eaea7a35cd7886c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 9 Jan 2006 22:12:53 +0000 Subject: r12804: This patch reworks the Samba4 sockets layer to use a socket_address structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2) --- source4/lib/socket/access.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index 1d0a90f1ee..8e57ca5aff 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -310,7 +310,8 @@ BOOL socket_check_access(struct socket_context *sock, const char **allow_list, const char **deny_list) { BOOL ret; - const char *name="", *addr; + const char *name=""; + struct socket_address *addr; TALLOC_CTX *mem_ctx; if ((!deny_list || *deny_list==0) && @@ -324,13 +325,18 @@ BOOL socket_check_access(struct socket_context *sock, } addr = socket_get_peer_addr(sock, mem_ctx); + if (!addr) { + DEBUG(0,("socket_check_access: Denied connection from unknown host: could not get peer address from kernel\n")); + talloc_free(mem_ctx); + return False; + } /* bypass gethostbyaddr() calls if the lists only contain IP addrs */ if (!only_ipaddrs_in_list(allow_list) || !only_ipaddrs_in_list(deny_list)) { name = socket_get_peer_name(sock, mem_ctx); if (!name) { - name = addr; + name = addr->addr; } } @@ -340,14 +346,14 @@ BOOL socket_check_access(struct socket_context *sock, return False; } - ret = allow_access(mem_ctx, deny_list, allow_list, name, addr); + ret = allow_access(mem_ctx, deny_list, allow_list, name, addr->addr); if (ret) { DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n", - service_name, name, addr)); + service_name, name, addr->addr)); } else { DEBUG(0,("socket_check_access: Denied connection to '%s' from %s (%s)\n", - service_name, name, addr)); + service_name, name, addr->addr)); } talloc_free(mem_ctx); -- cgit From 172a83d72491f90f6191be1040ef8b2e1789bd2e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 13 May 2006 19:14:12 +0000 Subject: r15573: Fix build of systems that have iconv headers in non-standard locations Split of system/locale.h header from system/iconv.h Previously, iconv wasn't being used on these systems (This used to be commit aa6d66fda69779d1c2948a1aca85dbd5208f1cba) --- source4/lib/socket/access.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index 8e57ca5aff..dcad89e3a9 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -33,8 +33,8 @@ #include "includes.h" #include "system/network.h" -#include "system/iconv.h" #include "lib/socket/socket.h" +#include "system/locale.h" #define FAIL (-1) #define ALLONES ((uint32_t)0xFFFFFFFF) -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/lib/socket/access.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index dcad89e3a9..2d228c7474 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -7,7 +7,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -16,8 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ -- cgit From 719a4ae0d32ab9ba817fd01f2b8f4cba220a8c60 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 5 Oct 2007 18:03:01 +0000 Subject: r25522: Convert to standard bool types. (This used to be commit 5e814287ba475e12f8cc934fdd09b199dcdfdb86) --- source4/lib/socket/access.c | 96 ++++++++++++++++++++++----------------------- 1 file changed, 48 insertions(+), 48 deletions(-) (limited to 'source4/lib/socket/access.c') diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index 2d228c7474..42c42db365 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -39,7 +39,7 @@ #define ALLONES ((uint32_t)0xFFFFFFFF) /* masked_match - match address against netnumber/netmask */ -static BOOL masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s) +static bool masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s) { uint32_t net; uint32_t mask; @@ -47,7 +47,7 @@ static BOOL masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash char *tok_cpy; if ((addr = interpret_addr(s)) == INADDR_NONE) - return False; + return false; tok_cpy = talloc_strdup(mem_ctx, tok); tok_cpy[PTR_DIFF(slash,tok)] = '\0'; @@ -64,14 +64,14 @@ static BOOL masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash if (net == INADDR_NONE || mask == INADDR_NONE) { DEBUG(0,("access: bad net/mask access control: %s\n", tok)); - return False; + return false; } return (addr & mask) == (net & mask); } /* string_match - match string against token */ -static BOOL string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char) +static bool string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char) { size_t tok_len; size_t str_len; @@ -79,50 +79,50 @@ static BOOL string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, cha *invalid_char = '\0'; - /* Return True if a token has the magic value "ALL". Return + /* Return true if a token has the magic value "ALL". Return * FAIL if the token is "FAIL". If the token starts with a "." - * (domain name), return True if it matches the last fields of + * (domain name), return true if it matches the last fields of * the string. If the token has the magic value "LOCAL", - * return True if the string does not contain a "." + * return true if the string does not contain a "." * character. If the token ends on a "." (network number), - * return True if it matches the first fields of the + * return true if it matches the first fields of the * string. If the token begins with a "@" (netgroup name), - * return True if the string is a (host) member of the - * netgroup. Return True if the token fully matches the + * return true if the string is a (host) member of the + * netgroup. Return true if the token fully matches the * string. If the token is a netnumber/netmask pair, return - * True if the address is a member of the specified subnet. + * true if the address is a member of the specified subnet. */ if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(s)) > (tok_len = strlen(tok)) && strcasecmp(tok, s + str_len - tok_len)==0) { - return True; + return true; } } else if (tok[0] == '@') { /* netgroup: look it up */ DEBUG(0,("access: netgroup support is not available\n")); - return False; + return false; } else if (strcmp(tok, "ALL")==0) { /* all: match any */ - return True; + return true; } else if (strcmp(tok, "FAIL")==0) { /* fail: match any */ return FAIL; } else if (strcmp(tok, "LOCAL")==0) { /* local: no dots */ if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) { - return True; + return true; } } else if (strcasecmp(tok, s)==0) { /* match host name or address */ - return True; + return true; } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ if (strncmp(tok, s, tok_len) == 0) - return True; + return true; } else if ((cut = strchr(tok, '/')) != 0) { /* netnumber/netmask */ if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s)) - return True; + return true; } else if (strchr(tok, '*') != 0) { *invalid_char = '*'; } else if (strchr(tok, '?') != 0) { *invalid_char = '?'; } - return False; + return false; } struct client_addr { @@ -131,9 +131,9 @@ struct client_addr { }; /* client_match - match host name and address against token */ -static BOOL client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client) +static bool client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client) { - BOOL match; + bool match; char invalid_char = '\0'; /* @@ -158,12 +158,12 @@ token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); } /* list_match - match an item against a list of tokens with exceptions */ -static BOOL list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client) +static bool list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client) { - BOOL match = False; + bool match = false; if (!list) - return False; + return false; /* * Process tokens one at a time. We have exhausted all possible matches @@ -175,18 +175,18 @@ static BOOL list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_add for (; *list ; list++) { if (strcmp(*list, "EXCEPT")==0) /* EXCEPT: give up */ break; - if ((match = client_match(mem_ctx, *list, client))) /* True or FAIL */ + if ((match = client_match(mem_ctx, *list, client))) /* true or FAIL */ break; } - /* Process exceptions to True or FAIL matches. */ - if (match != False) { + /* Process exceptions to true or FAIL matches. */ + if (match != false) { while (*list && strcmp(*list, "EXCEPT")!=0) list++; for (; *list; list++) { if (client_match(mem_ctx, *list, client)) /* Exception Found */ - return False; + return false; } } @@ -194,7 +194,7 @@ static BOOL list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_add } /* return true if access should be allowed */ -static BOOL allow_access_internal(TALLOC_CTX *mem_ctx, +static bool allow_access_internal(TALLOC_CTX *mem_ctx, const char **deny_list,const char **allow_list, const char *cname, const char *caddr) { @@ -213,15 +213,15 @@ static BOOL allow_access_internal(TALLOC_CTX *mem_ctx, list_match(mem_ctx, deny_list, &client) && (!allow_list || !list_match(mem_ctx, allow_list, &client))) { - return False; + return false; } - return True; + return true; } /* if theres no deny list and no allow list then allow access */ if ((!deny_list || *deny_list == 0) && (!allow_list || *allow_list == 0)) { - return True; + return true; } /* if there is an allow list but no deny list then allow only hosts @@ -237,27 +237,27 @@ static BOOL allow_access_internal(TALLOC_CTX *mem_ctx, /* if there are both types of list then allow all hosts on the allow list */ if (list_match(mem_ctx, allow_list, &client)) - return True; + return true; /* if there are both types of list and it's not on the allow then allow it if its not on the deny */ if (list_match(mem_ctx, deny_list, &client)) - return False; + return false; - return True; + return true; } /* return true if access should be allowed */ -BOOL allow_access(TALLOC_CTX *mem_ctx, +bool allow_access(TALLOC_CTX *mem_ctx, const char **deny_list, const char **allow_list, const char *cname, const char *caddr) { - BOOL ret; + bool ret; char *nc_cname = talloc_strdup(mem_ctx, cname); char *nc_caddr = talloc_strdup(mem_ctx, caddr); if (!nc_cname || !nc_caddr) { - return False; + return false; } ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr); @@ -271,12 +271,12 @@ BOOL allow_access(TALLOC_CTX *mem_ctx, /* return true if the char* contains ip addrs only. Used to avoid gethostbyaddr() calls */ -static BOOL only_ipaddrs_in_list(const char** list) +static bool only_ipaddrs_in_list(const char** list) { - BOOL only_ip = True; + bool only_ip = true; if (!list) - return True; + return true; for (; *list ; list++) { /* factor out the special strings */ @@ -293,7 +293,7 @@ static BOOL only_ipaddrs_in_list(const char** list) * have a '/' in them */ if ((strchr(*list, '/')) == NULL) { - only_ip = False; + only_ip = false; DEBUG(3,("only_ipaddrs_in_list: list has non-ip address (%s)\n", *list)); break; } @@ -304,30 +304,30 @@ static BOOL only_ipaddrs_in_list(const char** list) } /* return true if access should be allowed to a service for a socket */ -BOOL socket_check_access(struct socket_context *sock, +bool socket_check_access(struct socket_context *sock, const char *service_name, const char **allow_list, const char **deny_list) { - BOOL ret; + bool ret; const char *name=""; struct socket_address *addr; TALLOC_CTX *mem_ctx; if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) { - return True; + return true; } mem_ctx = talloc_init("socket_check_access"); if (!mem_ctx) { - return False; + return false; } addr = socket_get_peer_addr(sock, mem_ctx); if (!addr) { DEBUG(0,("socket_check_access: Denied connection from unknown host: could not get peer address from kernel\n")); talloc_free(mem_ctx); - return False; + return false; } /* bypass gethostbyaddr() calls if the lists only contain IP addrs */ @@ -342,7 +342,7 @@ BOOL socket_check_access(struct socket_context *sock, if (!addr) { DEBUG(0,("socket_check_access: Denied connection from unknown host\n")); talloc_free(mem_ctx); - return False; + return false; } ret = allow_access(mem_ctx, deny_list, allow_list, name, addr->addr); -- cgit