Mercurial > dovecot > core-2.2
changeset 18870:9be3fbad33c5
auth: Added allow_real_nets setting.
The difference to allow_nets is that it matches against the connection's
"real IP" rather than what the connection told was the original client's IP
address (%{rip} vs %{real_rip})
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 17 Jun 2015 11:31:02 +0300 |
parents | 697c6f04baca |
children | 69b231fdf5d7 |
files | src/auth/auth-request.c |
diffstat | 1 files changed, 16 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request.c Tue Jun 16 17:19:12 2015 +0300 +++ b/src/auth/auth-request.c Wed Jun 17 11:31:02 2015 +0300 @@ -1305,8 +1305,10 @@ return TRUE; } -static void auth_request_validate_networks(struct auth_request *request, - const char *networks) +static void +auth_request_validate_networks(struct auth_request *request, + const char *name, const char *networks, + const struct ip_addr *remote_ip) { const char *const *net; struct ip_addr net_ip; @@ -1315,20 +1317,20 @@ for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) { auth_request_log_debug(request, AUTH_SUBSYS_DB, - "allow_nets: Matching for network %s", *net); + "%s: Matching for network %s", name, *net); - if (strcmp(*net, "local") == 0 && request->remote_ip.family == 0) { + if (strcmp(*net, "local") == 0 && remote_ip->family == 0) { found = TRUE; break; } if (net_parse_range(*net, &net_ip, &bits) < 0) { auth_request_log_info(request, AUTH_SUBSYS_DB, - "allow_nets: Invalid network '%s'", *net); + "%s: Invalid network '%s'", name, *net); } - if (request->remote_ip.family != 0 && - net_is_in_network(&request->remote_ip, &net_ip, bits)) { + if (remote_ip->family != 0 && + net_is_in_network(remote_ip, &net_ip, bits)) { found = TRUE; break; } @@ -1336,12 +1338,13 @@ if (found) ; - else if (request->remote_ip.family == 0) { + else if (remote_ip->family == 0) { auth_request_log_info(request, AUTH_SUBSYS_DB, - "allow_nets check failed: Remote IP not known and 'local' missing"); + "%s check failed: Remote IP not known and 'local' missing", name); } else if (!found) { auth_request_log_info(request, AUTH_SUBSYS_DB, - "allow_nets check failed: IP not in allowed networks"); + "%s check failed: IP %s not in allowed networks", + name, net_ip2addr(remote_ip)); } request->failed = !found; } @@ -1465,7 +1468,9 @@ } else if (strcmp(name, "login_user") == 0) { request->requested_login_user = p_strdup(request->pool, value); } else if (strcmp(name, "allow_nets") == 0) { - auth_request_validate_networks(request, value); + auth_request_validate_networks(request, name, value, &request->remote_ip); + } else if (strcmp(name, "allow_real_nets") == 0) { + auth_request_validate_networks(request, name, value, &request->real_remote_ip); } else if (strncmp(name, "userdb_", 7) == 0) { /* for prefetch userdb */ request->userdb_prefetch_set = TRUE;