Add "@netgroup" names to host matching.

diff --git a/NEWS.md b/NEWS.md
index 30a741288b5fc4839c9990ed242905177f709bb7..a545af1fdce455c1b5c3d30a84aa5ce04eb62282 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -25,6 +25,9 @@
    `--time-limit=MINS` option accepted as an alias for `--stop-after`).  This
    is an enhanced version of the time-limit patch from the patches repo.
 
    `--time-limit=MINS` option accepted as an alias for `--stop-after`).  This
    is an enhanced version of the time-limit patch from the patches repo.
 

+ - Added the ability to specify "@netgroup" names to the `hosts allow` and
+   `hosts deny` daemon parameters.
+

  - Added some compatibility code for HPE NonStop platforms.
 
 ### INTERNAL:
  - Added some compatibility code for HPE NonStop platforms.
 
 ### INTERNAL:

diff --git a/access.c b/access.c
index d7bf01ccab6f27ad93c2b703e8e2a54bd6af9680..39a7752a256f7cfd0a24203ab9ff3dd135d61306 100644 (file)
--- a/access.c
+++ b/access.c
@@ -34,6 +34,11 @@ static int match_hostname(const char **host_ptr, const char *addr, const char *t
        if (!host || !*host)
                return 0;
 
        if (!host || !*host)
                return 0;
 

+#ifdef HAVE_INNETGR
+       if (*tok == '@' && tok[1])
+               return innetgr(tok + 1, host, NULL, NULL);
+#endif
+

        /* First check if the reverse-DNS-determined hostname matches. */
        if (iwildmatch(tok, host))
                return 1;
        /* First check if the reverse-DNS-determined hostname matches. */
        if (iwildmatch(tok, host))
                return 1;

diff --git a/configure.ac b/configure.ac
index fac166c814771508955b2451e408280affe4040d..d96369624faa26e8037ca1af7b2a7f7b8f865c67 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -822,7 +822,7 @@ AC_FUNC_UTIME_NULL
 AC_FUNC_ALLOCA
 AC_CHECK_FUNCS(waitpid wait4 getcwd chown chmod lchmod mknod mkfifo \
     fchmod fstat ftruncate strchr readlink link utime utimes lutimes strftime \
 AC_FUNC_ALLOCA
 AC_CHECK_FUNCS(waitpid wait4 getcwd chown chmod lchmod mknod mkfifo \
     fchmod fstat ftruncate strchr readlink link utime utimes lutimes strftime \

-    chflags getattrlist mktime \
+    chflags getattrlist mktime innetgr \

     memmove lchown vsnprintf snprintf vasprintf asprintf setsid strpbrk \
     strlcat strlcpy strtol mallinfo getgroups setgroups geteuid getegid \
     setlocale setmode open64 lseek64 mkstemp64 mtrace va_copy __va_copy \
     memmove lchown vsnprintf snprintf vasprintf asprintf setsid strpbrk \
     strlcat strlcpy strtol mallinfo getgroups setgroups geteuid getegid \
     setlocale setmode open64 lseek64 mkstemp64 mtrace va_copy __va_copy \

diff --git a/rsyncd.conf.5.md b/rsyncd.conf.5.md
index 11f77cb01edb09af37895dd9c81be141f6dd032b..8b696b40750f3f38b2cdc43920a062b5b47ea812 100644 (file)
--- a/rsyncd.conf.5.md
+++ b/rsyncd.conf.5.md
@@ -685,7 +685,7 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     client's hostname and IP address.  If none of the patterns match, then the
     connection is rejected.
 
     client's hostname and IP address.  If none of the patterns match, then the
     connection is rejected.
 

-    Each pattern can be in one of five forms:
+    Each pattern can be in one of six forms:

 
     - a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address of
       the form a:b:c::d:e:f. In this case the incoming machine's IP address
 
     - a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address of
       the form a:b:c::d:e:f. In this case the incoming machine's IP address


@@ -705,6 +705,8 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
       connecting IP (if "reverse lookup" is enabled), and/or the IP of the
       given hostname is matched against the connecting IP (if "forward lookup"
       is enabled, as it is by default).  Any match will be allowed in.
       connecting IP (if "reverse lookup" is enabled), and/or the IP of the
       given hostname is matched against the connecting IP (if "forward lookup"
       is enabled, as it is by default).  Any match will be allowed in.

+    - an '@' followed by a netgroup name, which will match if the reverse DNS
+      of the connecting IP is in the specified netgroup.

 
     Note IPv6 link-local addresses can have a scope in the address
     specification:
 
     Note IPv6 link-local addresses can have a scope in the address
     specification:


@@ -713,12 +715,12 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     >     fe80::%link1/64
     >     fe80::%link1/ffff:ffff:ffff:ffff::
 
     >     fe80::%link1/64
     >     fe80::%link1/ffff:ffff:ffff:ffff::
 

-    You can also combine "hosts allow" with a separate "hosts deny" parameter.
-    If both parameters are specified then the "hosts allow" parameter is
-    checked first and a match results in the client being able to connect. The
-    "hosts deny" parameter is then checked and a match means that the host is
-    rejected. If the host does not match either the "hosts allow" or the
-    "hosts deny" patterns then it is allowed to connect.
+    You can also combine "hosts allow" with "hosts deny" as a way to add
+    exceptions to your deny list.  When both parameters are specified, the
+    "hosts allow" parameter is checked first and a match results in the client
+    being able to connect.  A non-allowed host is then matched against the
+    "hosts deny" list to see if it should be rejected.  A host that does not
+    match either list is allowed to connect.

 
     The default is no "hosts allow" parameter, which means all hosts can
     connect.
 
     The default is no "hosts allow" parameter, which means all hosts can
     connect.