Article delegate-en/4611 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4610@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: PERMIT Permission bug?
11 Oct 2009 15:35:57 GMT NoSFeRaTU <peihqbdyi-c2jtqbbno6vr.ml@ml.delegate.org>


On Sun, 11 Oct 2009 17:50:09 +0900 (JST)
feedback@delegate.org (Yutaka Sato) wrote:

 YS> I see.  I found the problem can be reproduced with "SAC=x.x.x.x" option
 YS> to simulate an access control for access from a client "x.x.x.x" as
 YS> follows.  This test does not need any change of configuration of your
 YS> existing DeleGate, nor real access, you will be able to reproduce it
 YS> as is shown easily.
<-- CUT -->
 YS> The behavior of (2) may be strange but since it has been so long, I could
 YS> not change it.  The "/a" option in (3) seems to have been introduced in
 YS> DeleGate/8.0.5 as a solution for it.  
 YS> I'm not yet sure, but the enclosed patch may make things work
 YS> automatically as expected without affecting behaviors in ancient usages
 YS> and configurations.
I applied enclosed patch across 9.9.5, under simulation with SAC="10.1.1.1"
seems works with:

delegated SERVER=http HOSTS="nosferatu.gnet/{169.254.0.2,10.1.1.1}"
SAC="10.1.1.1" -dh PERMIT="*:*:10.1.1.0/24"

10/11 18:44:57.89 [10067] 0+0: ---- Simulated Access Control ------
10/11 18:44:57.89 [10067] 0+0: -- SAC=10.1.1.1
10/11 18:44:57.89 [10067] 0+0: ## 10.1.1.1 => nosferatu.gnet => 169.254.0.2
[ 0]P    0:00    2 nosferatu.gnet/{169.254.0.2,10.1.1.1}
[ 1]P    0:00    1 localhost/127.0.0.1
[ 2]P    0:00    0 localhost/__1
[ 3]P    0:00    0 .af-local/127.0.0.127
[ 4]+    0:00    1 {nosferatu.gnet,nosferatu}/127.0.0.2
[ 5]+    0:00    0 ganjanet.gnet/10.1.1.0
10/11 18:44:57.90 [10067] 0+0: ## 10.1.1.1 => nosferatu.gnet =>
 169.254.0.2/ignored 10/11 18:44:57.90 [10067] 0+0: {HL} PERMIT 0/1
10/11 18:44:57.90 [10067] 0+0: gethostbyname(-) unknown[0.00s]
10/11 18:44:57.90 [10067] 0+0: [1/1] REGEXP NAME MATCHING: - += * ?
10/11 18:44:57.90 [10067] 0+0: [1/1] ==> 1 (PERMIT/DST -)
10/11 18:44:57.90 [10067] 0+0: ## 10.1.1.1 => nosferatu.gnet => 169.254.0.2
[ 0]P    0:00    3 nosferatu.gnet/{169.254.0.2,10.1.1.1}
[ 1]P    0:00    1 localhost/127.0.0.1
[ 2]P    0:00    0 localhost/__1
[ 3]P    0:00    0 .af-local/127.0.0.127
[ 4]+    0:00    1 {nosferatu.gnet,nosferatu}/127.0.0.2
[ 5]+    0:00    0 ganjanet.gnet/10.1.1.0
[ 6]+    0:00    0 -/
10/11 18:44:57.90 [10067] 0+0: ## 10.1.1.1 => nosferatu.gnet =>
 169.254.0.2/ignored 10/11 18:44:57.90 [10067] 0+0: [1/1] ADDR MATCH: 10.1.1.0
 += 10.1.1.0 ? 10/11 18:44:57.90 [10067] 0+0: [1/1] ==> 1 (PERMIT/SRC
 nosferatu.gnet) 10/11 18:44:57.90 [10067] 0+0: OK 10.1.1.1:1 => http://-:80
10/11 18:44:57.90 [10067] 0+0: ---- Simulated Access Control => OK:1 ERR:0



But with SAC="nosferatu.gnet" don't work:

delegated SERVER=http HOSTS="xyz/{169.254.0.2,10.1.1.1}" SAC="nosferatu.gnet"
-dh PERMIT="*:*:10.1.1.0/24"

10/11 19:19:15.75 [10366] 0+0: ext[0] TIMEOUT=shutout:60
10/11 19:19:15.75 [10366] 0+0: arg[1] SERVER=http
10/11 19:19:15.75 [10366] 0+0: arg[2] HOSTS=xyz/{169.254.0.2,10.1.1.1}
10/11 19:19:15.75 [10366] 0+0: arg[3] SAC=nosferatu.gnet
10/11 19:19:15.75 [10366] 0+0: arg[5] PERMIT=*:*:10.1.1.0/24
10/11 19:19:15.75 [10366] 0+0: DELEGATE_Modified[0]: 4ad1f6f9 000000000X
10/11 19:19:15.75 [10366] 0+0: --INITIALIZATION DONE-09101119+0300: 9.9.5 on
Linux/2.6.27.29-0.1-default-- 10/11 19:19:15.75 [10366] 0+0: logMMap: 19D1D000
2712 10/11 19:19:15.75 [10366] 0+0: LOG-Socketpair[19,20]
10/11 19:19:15.75 [10366] 0+0: ---- Simulated Access Control ------
10/11 19:19:15.75 [10366] 0+0: -- SAC=nosferatu.gnet
10/11 19:19:15.75 [10366] 0+0: ## 127.0.0.2 => nosferatu.gnet => 127.0.0.2
[ 0]P    0:00    0 xyz/{169.254.0.2,10.1.1.1}
[ 1]P    0:00    1 localhost/127.0.0.1
[ 2]P    0:00    0 localhost/__1
[ 3]P    0:00    0 .af-local/127.0.0.127
[ 4]+    0:00    4 {nosferatu.gnet,nosferatu}/127.0.0.2
[ 5]+    0:00    0 ganjanet.gnet/10.1.1.0
10/11 19:19:15.75 [10366] 0+0: {HL} PERMIT 0/1
10/11 19:19:15.75 [10366] 0+0: gethostbyname(-) unknown[0.00s]
10/11 19:19:15.75 [10366] 0+0: [1/1] REGEXP NAME MATCHING: - += * ?
10/11 19:19:15.75 [10366] 0+0: [1/1] ==> 1 (PERMIT/DST -)
10/11 19:19:15.75 [10366] 0+0: ## 127.0.0.2 => nosferatu.gnet => 127.0.0.2
[ 0]P    0:00    0 xyz/{169.254.0.2,10.1.1.1}
[ 1]P    0:00    1 localhost/127.0.0.1
[ 2]P    0:00    0 localhost/__1
[ 3]P    0:00    0 .af-local/127.0.0.127
[ 4]+    0:00    5 {nosferatu.gnet,nosferatu}/127.0.0.2
[ 5]+    0:00    0 ganjanet.gnet/10.1.1.0
[ 6]+    0:00    0 -/
10/11 19:19:15.75 [10366] 0+0: [1/1] ADDR MATCH: 127.0.0.0 += 10.1.1.0 ?
10/11 19:19:15.75 [10366] 0+0: [1/1] ==> 0 (PERMIT/SRC nosferatu.gnet)
10/11 19:19:15.75 [10366] 0+0: E-P: No permission: 127.0.0.2:1 => http://-
(unmatch PERMIT) 10/11 19:19:15.75 [10366] 0+0: ERROR nosferatu.gnet:1 =>
http://-:80 10/11 19:19:15.75 [10366] 0+0: ---- Simulated Access Control =>
OK:0 ERR:1



And works with SAC="nosferatu.gnet" and
PERMIT="*:*:10.1.1.0/24,nosferatu.gnet" or PERMIT="*:*:10.1.1.0/24,127.0.0.2":

delegated SERVER=http HOSTS="xyz/{169.254.0.2,10.1.1.1}" SAC="nosferatu.gnet"
-dh PERMIT="*:*:10.1.1.0/24,127.0.0.2

10/11 19:24:30.67 [10378] 0+0: ext[0] TIMEOUT=shutout:60
10/11 19:24:30.67 [10378] 0+0: arg[1] SERVER=http
10/11 19:24:30.67 [10378] 0+0: arg[2] HOSTS=xyz/{169.254.0.2,10.1.1.1}
10/11 19:24:30.67 [10378] 0+0: arg[3] SAC=nosferatu.gnet
10/11 19:24:30.67 [10378] 0+0: arg[5] PERMIT=*:*:10.1.1.0/24,127.0.0.2
10/11 19:24:30.67 [10378] 0+0: DELEGATE_Modified[0]: 4ad1f828 000000000X
10/11 19:24:30.67 [10378] 0+0: --INITIALIZATION DONE-09101119+0300: 9.9.5 on
Linux/2.6.27.29-0.1-default-- 10/11 19:24:30.68 [10378] 0+0: logMMap: C45F3000
2712 10/11 19:24:30.68 [10378] 0+0: LOG-Socketpair[19,20]
10/11 19:24:30.68 [10378] 0+0: ---- Simulated Access Control ------
10/11 19:24:30.68 [10378] 0+0: -- SAC=nosferatu.gnet
10/11 19:24:30.68 [10378] 0+0: ## 127.0.0.2 => nosferatu.gnet => 127.0.0.2
[ 0]P    0:00    0 xyz/{169.254.0.2,10.1.1.1}
[ 1]P    0:00    1 localhost/127.0.0.1
[ 2]P    0:00    0 localhost/__1
[ 3]P    0:00    0 .af-local/127.0.0.127
[ 4]+    0:00    5 {nosferatu.gnet,nosferatu}/127.0.0.2
[ 5]+    0:00    0 ganjanet.gnet/10.1.1.0
10/11 19:24:30.68 [10378] 0+0: {HL} PERMIT 0/1
10/11 19:24:30.68 [10378] 0+0: gethostbyname(-) unknown[0.00s]
10/11 19:24:30.68 [10378] 0+0: [1/1] REGEXP NAME MATCHING: - += * ?
10/11 19:24:30.68 [10378] 0+0: [1/1] ==> 1 (PERMIT/DST -)
10/11 19:24:30.68 [10378] 0+0: ## 127.0.0.2 => nosferatu.gnet => 127.0.0.2
[ 0]P    0:00    0 xyz/{169.254.0.2,10.1.1.1}
[ 1]P    0:00    1 localhost/127.0.0.1
[ 2]P    0:00    0 localhost/__1
[ 3]P    0:00    0 .af-local/127.0.0.127
[ 4]+    0:00    6 {nosferatu.gnet,nosferatu}/127.0.0.2
[ 5]+    0:00    0 ganjanet.gnet/10.1.1.0
[ 6]+    0:00    0 -/
10/11 19:24:30.68 [10378] 0+0: [1/2] ADDR MATCH: 127.0.0.0 += 10.1.1.0 ?
10/11 19:24:30.68 [10378] 0+0: [1/2] ==> 0 (PERMIT/SRC nosferatu.gnet)
10/11 19:24:30.68 [10378] 0+0: [2/2] EXACT NAME MATCH: nosferatu.gnet +=
nosferatu.gnet ? 10/11 19:24:30.68 [10378] 0+0: [2/2] ==> 1 (PERMIT/SRC
nosferatu.gnet) 10/11 19:24:30.68 [10378] 0+0: OK nosferatu.gnet:1 =>
http://-:80 10/11 19:24:30.68 [10378] 0+0: ---- Simulated Access Control =>
OK:1 ERR:0



Not works on real mode with:
delegated -P5555 SERVER=http PERMIT="*:*:10.1.1.0/24"
delegated -P5555 SERVER=http PERMIT="*:*:10.1.1.0/24,/a"
delegated -P5555 SERVER=http PERMIT="*:*:10.1.1.0/24,169.254.0.2"
delegated -P5555 SERVER=http HOSTS="nosferatu.gnet/{169.254.0.2,10.1.1.1}"
PERMIT="*:*:10.1.1.0/24"



And all ok with:
delegated -P5555 SERVER=http PERMIT="*:*:10.1.1.0/24,10.1.1.1"
delegated -P5555 SERVER=http PERMIT="*:*:10.1.1.0/24,nosferatu.gnet"
delegated -P5555 SERVER=http PERMIT="*:*:10.1.1.0/24,127.0.0.2"
delegated -P5555 SERVER=http HOSTS="nosferatu.gnet/{169.254.0.2,10.1.1.1}"
PERMIT="*:*:10.1.1.0/24,10.1.1.1"
delegated -P5555 SERVER=http HOSTS="nosferatu.gnet/{169.254.0.2,10.1.1.1}"
PERMIT="*:*:10.1.1.0/24,nosferatu.gnet"
delegated -P5555 SERVER=http HOSTS="nosferatu.gnet/{169.254.0.2,10.1.1.1}"
PERMIT="*:*:10.1.1.0/24,169.254.0.2"



nosferatu:/ # host nosferatu.gnet
nosferatu.gnet has address 10.1.1.1
nosferatu:/ # host 10.1.1.1
1.1.1.10.in-addr.arpa domain name pointer nosferatu.gnet.
nosferatu:/ # host 169.254.0.2
2.0.254.169.in-addr.arpa domain name pointer nosferatu.pgnet.
nosferatu:/ # host nosferatu.pgnet
Host nosferatu.pgnet not found: 3(NXDOMAIN)

--
 WBR, NoSFeRaTU

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V