Provide an option to make the KDC also listen on loopback interfaces for
datagram requests. Adds an internal symbol to libkrb5 which the KDC
needs if listening on loopback is enabled.
The default might be better changed from FALSE to TRUE so that the
default matches what we do with stream sockets.
FIXME: doesn't add documentation anywhere.
diff -up src/include/foreachaddr.h src/include/foreachaddr.h
--- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400
+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400
@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo
;
#define foreach_localaddr krb5int_foreach_localaddr
+
+extern int
+krb5int_foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+ /*@modifies fileSystem@*/
+#endif
+ ;
+
+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
--- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400
+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400
@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
krb5_error_code setup_server_realm (krb5_principal);
/* network.c */
+void process_listen_loopback (krb5_boolean);
krb5_error_code listen_and_process (const char *);
krb5_error_code setup_network (const char *);
krb5_error_code closedown_network (const char *);
diff -up src/kdc/main.c src/kdc/main.c
--- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400
+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400
@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
krb5_enctype menctype = ENCTYPE_UNKNOWN;
kdc_realm_t *rdatap;
krb5_boolean manual = FALSE;
+ krb5_boolean listen_loopback = FALSE;
char *default_udp_ports = 0;
char *default_tcp_ports = 0;
krb5_pointer aprof;
@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
v4mode = 0;
#endif
+ hierarchy[1] = "kdc_listen_loopback";
+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
+ listen_loopback = FALSE;
/* aprof_init can return 0 with aprof == NULL */
if (aprof)
krb5_aprof_finish(aprof);
@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
free(v4mode);
#endif
+ process_listen_loopback(listen_loopback);
+
/*
* Check to see if we processed any realms.
*/
diff -up src/kdc/network.c src/kdc/network.c
--- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400
+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400
@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
#include "cm.h"
static struct select_state sstate;
+static krb5_boolean listen_loopback;
static krb5_error_code add_udp_port(int port)
{
@@ -604,6 +605,12 @@ scan_for_newlines:
}
#endif
+void
+process_listen_loopback(krb5_boolean listen_loop)
+{
+ listen_loopback = listen_loop;
+}
+
/* XXX */
extern int krb5int_debug_sendto_kdc;
extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
@@ -662,7 +669,9 @@ setup_network(const char *prog)
so we might need only one UDP socket; fall back to binding
sockets on each address only if IPV6_PKTINFO isn't
supported. */
- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
+ if (listen_loopback ?
+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
return setup_data.retval;
}
setup_tcp_listener_ports(&setup_data);
diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400
+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400
@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
}
#endif
+static krb5_boolean
+skip_loopback (struct sockaddr *addr, int flags)
+{
+#ifdef IFF_LOOPBACK
+ if (flags & IFF_LOOPBACK) {
+ return TRUE;
+ }
+#endif
+ return FALSE;
+}
+
#ifndef HAVE_IFADDRS_H
/*@-usereleased@*/ /* lclint doesn't understand realloc */
static /*@null@*/ void *
@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
indication, it should do it via some field pointed to by the DATA
argument. */
-#ifdef HAVE_IFADDRS_H
-
int
foreach_localaddr (/*@null@*/ void *data,
int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
/*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
/*@null@*/ int (*pass2fn) (/*@null@*/ void *,
struct sockaddr *) /*@*/)
+{
+ return foreach_localaddr_ext(data, pass1fn,
+ &skip_loopback, betweenfn,
+ pass2fn);
+}
+
+#ifdef HAVE_IFADDRS_H
+
+int
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data
#endif
if ((ifp->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp->ifa_flags & IFF_LOOPBACK) {
+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
/* Pretend it's not up, so the second pass will skip
it. */
ifp->ifa_flags &= ~IFF_UP;
@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data
for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
if ((ifp2->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp2->ifa_flags & IFF_LOOPBACK)
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
continue;
if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
match = 1;
@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data
#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
int
-foreach_localaddr (/*@null@*/ void *data,
- int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
- /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
- /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
- struct sockaddr *) /*@*/)
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (lifreq.lifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((lifreq.lifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
/* None of the current callers want loopback addresses. */
- if (lifreq.iflr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
/* Ignore interfaces that are down. */
if ((lifreq.iflr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (ifreq.ifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((ifreq.ifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));