1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
Provide an option to make the KDC also listen on loopback interfaces for
datagram requests. Adds an internal symbol to libkrb5 which the KDC
needs if listening on loopback is enabled.
The default might be better changed from FALSE to TRUE so that the
default matches what we do with stream sockets.
FIXME: doesn't add documentation anywhere.
diff -up src/include/foreachaddr.h src/include/foreachaddr.h
--- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400
+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400
@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo
;
#define foreach_localaddr krb5int_foreach_localaddr
+
+extern int
+krb5int_foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+ /*@modifies fileSystem@*/
+#endif
+ ;
+
+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
--- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400
+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400
@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
krb5_error_code setup_server_realm (krb5_principal);
/* network.c */
+void process_listen_loopback (krb5_boolean);
krb5_error_code listen_and_process (const char *);
krb5_error_code setup_network (const char *);
krb5_error_code closedown_network (const char *);
diff -up src/kdc/main.c src/kdc/main.c
--- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400
+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400
@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
krb5_enctype menctype = ENCTYPE_UNKNOWN;
kdc_realm_t *rdatap;
krb5_boolean manual = FALSE;
+ krb5_boolean listen_loopback = FALSE;
char *default_udp_ports = 0;
char *default_tcp_ports = 0;
krb5_pointer aprof;
@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
v4mode = 0;
#endif
+ hierarchy[1] = "kdc_listen_loopback";
+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
+ listen_loopback = FALSE;
/* aprof_init can return 0 with aprof == NULL */
if (aprof)
krb5_aprof_finish(aprof);
@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
free(v4mode);
#endif
+ process_listen_loopback(listen_loopback);
+
/*
* Check to see if we processed any realms.
*/
diff -up src/kdc/network.c src/kdc/network.c
--- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400
+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400
@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
#include "cm.h"
static struct select_state sstate;
+static krb5_boolean listen_loopback;
static krb5_error_code add_udp_port(int port)
{
@@ -604,6 +605,12 @@ scan_for_newlines:
}
#endif
+void
+process_listen_loopback(krb5_boolean listen_loop)
+{
+ listen_loopback = listen_loop;
+}
+
/* XXX */
extern int krb5int_debug_sendto_kdc;
extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
@@ -662,7 +669,9 @@ setup_network(const char *prog)
so we might need only one UDP socket; fall back to binding
sockets on each address only if IPV6_PKTINFO isn't
supported. */
- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
+ if (listen_loopback ?
+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
return setup_data.retval;
}
setup_tcp_listener_ports(&setup_data);
diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400
+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400
@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
}
#endif
+static krb5_boolean
+skip_loopback (struct sockaddr *addr, int flags)
+{
+#ifdef IFF_LOOPBACK
+ if (flags & IFF_LOOPBACK) {
+ return TRUE;
+ }
+#endif
+ return FALSE;
+}
+
#ifndef HAVE_IFADDRS_H
/*@-usereleased@*/ /* lclint doesn't understand realloc */
static /*@null@*/ void *
@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
indication, it should do it via some field pointed to by the DATA
argument. */
-#ifdef HAVE_IFADDRS_H
-
int
foreach_localaddr (/*@null@*/ void *data,
int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
/*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
/*@null@*/ int (*pass2fn) (/*@null@*/ void *,
struct sockaddr *) /*@*/)
+{
+ return foreach_localaddr_ext(data, pass1fn,
+ &skip_loopback, betweenfn,
+ pass2fn);
+}
+
+#ifdef HAVE_IFADDRS_H
+
+int
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data
#endif
if ((ifp->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp->ifa_flags & IFF_LOOPBACK) {
+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
/* Pretend it's not up, so the second pass will skip
it. */
ifp->ifa_flags &= ~IFF_UP;
@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data
for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
if ((ifp2->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp2->ifa_flags & IFF_LOOPBACK)
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
continue;
if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
match = 1;
@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data
#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
int
-foreach_localaddr (/*@null@*/ void *data,
- int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
- /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
- /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
- struct sockaddr *) /*@*/)
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (lifreq.lifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((lifreq.lifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
/* None of the current callers want loopback addresses. */
- if (lifreq.iflr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
/* Ignore interfaces that are down. */
if ((lifreq.iflr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (ifreq.ifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((ifreq.ifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
|
