dovecot-2.2: auth: Added real_[lr]ip, real_[lr]port variables.
dovecot at dovecot.org
dovecot at dovecot.org
Fri Feb 22 13:05:34 EET 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/c43fcfa2c4b4
changeset: 15888:c43fcfa2c4b4
user: Timo Sirainen <tss at iki.fi>
date: Fri Feb 22 13:04:45 2013 +0200
description:
auth: Added real_[lr]ip, real_[lr]port variables.
The unreal ones differ when a trusted proxy overrides them.
diffstat:
src/auth/auth-request.c | 47 ++++++++++++++++++++++++++++++++++---
src/auth/auth-request.h | 6 ++--
src/lib-auth/auth-client-request.c | 20 ++++++++++++++++
src/lib-auth/auth-client.h | 4 +-
src/login-common/client-common.c | 13 +++++++---
src/login-common/client-common.h | 3 +-
src/login-common/main.c | 4 +-
src/login-common/sasl-server.c | 4 +++
8 files changed, 85 insertions(+), 16 deletions(-)
diffs (229 lines):
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/auth/auth-request.c
--- a/src/auth/auth-request.c Fri Feb 22 12:42:26 2013 +0200
+++ b/src/auth/auth-request.c Fri Feb 22 13:04:45 2013 +0200
@@ -230,6 +230,18 @@
str_printfa(dest, "\tlport=%u", request->local_port);
if (request->remote_port != 0)
str_printfa(dest, "\trport=%u", request->remote_port);
+ if (request->real_local_ip.family != 0) {
+ auth_str_add_keyvalue(dest, "real_lip",
+ net_ip2addr(&request->real_local_ip));
+ }
+ if (request->real_remote_ip.family != 0) {
+ auth_str_add_keyvalue(dest, "real_rip",
+ net_ip2addr(&request->real_remote_ip));
+ }
+ if (request->real_local_port != 0)
+ str_printfa(dest, "\treal_lport=%u", request->real_local_port);
+ if (request->real_remote_port != 0)
+ str_printfa(dest, "\treal_rport=%u", request->real_remote_port);
if (request->secured)
str_append(dest, "\tsecured");
if (request->skip_password_check)
@@ -250,14 +262,31 @@
/* authentication and user lookups may set these */
if (strcmp(key, "service") == 0)
request->service = p_strdup(request->pool, value);
- else if (strcmp(key, "lip") == 0)
+ else if (strcmp(key, "lip") == 0) {
(void)net_addr2ip(value, &request->local_ip);
- else if (strcmp(key, "rip") == 0)
+ if (request->real_local_ip.family == 0)
+ request->real_local_ip = request->local_ip;
+ } else if (strcmp(key, "rip") == 0) {
(void)net_addr2ip(value, &request->remote_ip);
- else if (strcmp(key, "lport") == 0)
+ if (request->real_remote_ip.family == 0)
+ request->real_remote_ip = request->remote_ip;
+ } else if (strcmp(key, "lport") == 0) {
request->local_port = atoi(value);
- else if (strcmp(key, "rport") == 0)
+ if (request->real_local_port == 0)
+ request->real_local_port = request->local_port;
+ } else if (strcmp(key, "rport") == 0) {
request->remote_port = atoi(value);
+ if (request->real_remote_port == 0)
+ request->real_remote_port = request->remote_port;
+ }
+ else if (strcmp(key, "real_lip") == 0)
+ (void)net_addr2ip(value, &request->real_local_ip);
+ else if (strcmp(key, "real_rip") == 0)
+ (void)net_addr2ip(value, &request->real_remote_ip);
+ else if (strcmp(key, "real_lport") == 0)
+ request->real_local_port = atoi(value);
+ else if (strcmp(key, "real_rport") == 0)
+ request->real_remote_port = atoi(value);
else if (strcmp(key, "session") == 0)
request->session_id = p_strdup(request->pool, value);
else
@@ -1812,6 +1841,10 @@
{ '\0', NULL, "login_username" },
{ '\0', NULL, "login_domain" },
{ '\0', NULL, "session" },
+ { '\0', NULL, "real_lip" },
+ { '\0', NULL, "real_rip" },
+ { '\0', NULL, "real_lport" },
+ { '\0', NULL, "real_rport" },
{ '\0', NULL, NULL }
};
@@ -1882,6 +1915,12 @@
}
tab[18].value = auth_request->session_id == NULL ? NULL :
escape_func(auth_request->session_id, auth_request);
+ if (auth_request->real_local_ip.family != 0)
+ tab[19].value = net_ip2addr(&auth_request->real_local_ip);
+ if (auth_request->real_remote_ip.family != 0)
+ tab[20].value = net_ip2addr(&auth_request->real_remote_ip);
+ tab[21].value = dec2str(auth_request->real_local_port);
+ tab[22].value = dec2str(auth_request->real_remote_port);
return ret_tab;
}
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/auth/auth-request.h
--- a/src/auth/auth-request.h Fri Feb 22 12:42:26 2013 +0200
+++ b/src/auth/auth-request.h Fri Feb 22 13:04:45 2013 +0200
@@ -73,8 +73,8 @@
pid_t session_pid;
const char *service, *mech_name, *session_id;
- struct ip_addr local_ip, remote_ip;
- unsigned int local_port, remote_port;
+ struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip;
+ unsigned int local_port, remote_port, real_local_port, real_remote_port;
struct timeout *to_abort, *to_penalty;
unsigned int last_penalty;
@@ -140,7 +140,7 @@
#define AUTH_REQUEST_VAR_TAB_USER_IDX 0
#define AUTH_REQUEST_VAR_TAB_USERNAME_IDX 1
#define AUTH_REQUEST_VAR_TAB_DOMAIN_IDX 2
-#define AUTH_REQUEST_VAR_TAB_COUNT 19
+#define AUTH_REQUEST_VAR_TAB_COUNT 23
extern const struct var_expand_table auth_request_var_expand_static_tab[];
struct auth_request *
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/lib-auth/auth-client-request.c
--- a/src/lib-auth/auth-client-request.c Fri Feb 22 12:42:26 2013 +0200
+++ b/src/lib-auth/auth-client-request.c Fri Feb 22 13:04:45 2013 +0200
@@ -60,6 +60,26 @@
str_printfa(str, "\tlport=%u", info->local_port);
if (info->remote_port != 0)
str_printfa(str, "\trport=%u", info->remote_port);
+
+ /* send the real_* variants only when they differ from the unreal
+ ones */
+ if (info->real_local_ip.family != 0 &&
+ !net_ip_compare(&info->real_local_ip, &info->local_ip)) {
+ str_printfa(str, "\treal_lip=%s",
+ net_ip2addr(&info->real_local_ip));
+ }
+ if (info->real_remote_ip.family != 0 &&
+ !net_ip_compare(&info->real_remote_ip, &info->remote_ip)) {
+ str_printfa(str, "\treal_rip=%s",
+ net_ip2addr(&info->real_remote_ip));
+ }
+ if (info->real_local_port != 0 &&
+ info->real_local_port != info->local_port)
+ str_printfa(str, "\treal_lport=%u", info->real_local_port);
+ if (info->real_remote_port != 0 &&
+ info->real_remote_port != info->remote_port)
+ str_printfa(str, "\treal_rport=%u", info->real_remote_port);
+
if (info->initial_resp_base64 != NULL) {
str_append(str, "\tresp=");
str_append_tabescaped(str, info->initial_resp_base64);
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/lib-auth/auth-client.h
--- a/src/lib-auth/auth-client.h Fri Feb 22 12:42:26 2013 +0200
+++ b/src/lib-auth/auth-client.h Fri Feb 22 13:04:45 2013 +0200
@@ -41,8 +41,8 @@
const char *cert_username;
enum auth_request_flags flags;
- struct ip_addr local_ip, remote_ip;
- unsigned int local_port, remote_port;
+ struct ip_addr local_ip, remote_ip, real_local_ip, real_remote_ip;
+ unsigned int local_port, remote_port, real_local_port, real_remote_port;
const char *initial_resp_base64;
};
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/client-common.c
--- a/src/login-common/client-common.c Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/client-common.c Fri Feb 22 13:04:45 2013 +0200
@@ -123,9 +123,8 @@
client->pool = pool;
client->set = set;
client->ssl_set = ssl_set;
- client->local_ip = *local_ip;
- client->ip = *remote_ip;
- client->real_ip = *remote_ip;
+ client->real_local_ip = client->local_ip = *local_ip;
+ client->real_remote_ip = client->ip = *remote_ip;
client->fd = fd;
client->tls = ssl;
client->trusted = client_is_trusted(client);
@@ -463,7 +462,10 @@
{ 'k', NULL, "ssl_security" },
{ 'e', NULL, "mail_pid" },
{ '\0', NULL, "session" },
+ { '\0', NULL, "real_lip" },
{ '\0', NULL, "real_rip" },
+ { '\0', NULL, "real_lport" },
+ { '\0', NULL, "real_rport" },
{ '\0', NULL, NULL }
};
@@ -513,7 +515,10 @@
tab[13].value = client->mail_pid == 0 ? "" :
dec2str(client->mail_pid);
tab[14].value = client_get_session_id(client);
- tab[15].value = net_ip2addr(&client->real_ip);
+ tab[15].value = net_ip2addr(&client->real_local_ip);
+ tab[16].value = net_ip2addr(&client->real_remote_ip);
+ tab[17].value = dec2str(client->real_local_port);
+ tab[18].value = dec2str(client->real_remote_port);
return tab;
}
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/client-common.h
--- a/src/login-common/client-common.h Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/client-common.h Fri Feb 22 13:04:45 2013 +0200
@@ -102,8 +102,9 @@
struct ip_addr local_ip;
struct ip_addr ip;
- struct ip_addr real_ip;
+ struct ip_addr real_remote_ip, real_local_ip;
unsigned int local_port, remote_port;
+ unsigned int real_local_port, real_remote_port;
struct ssl_proxy *ssl_proxy;
const struct login_settings *set;
const struct master_service_ssl_settings *ssl_set;
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/main.c
--- a/src/login-common/main.c Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/main.c Fri Feb 22 13:04:45 2013 +0200
@@ -143,8 +143,8 @@
ssl_proxy_start(proxy);
}
- client->remote_port = conn->remote_port;
- client->local_port = local_port;
+ client->real_remote_port = client->remote_port = conn->remote_port;
+ client->real_local_port = client->local_port = local_port;
if (auth_client_to != NULL)
timeout_remove(&auth_client_to);
diff -r 48c1c58948f5 -r c43fcfa2c4b4 src/login-common/sasl-server.c
--- a/src/login-common/sasl-server.c Fri Feb 22 12:42:26 2013 +0200
+++ b/src/login-common/sasl-server.c Fri Feb 22 13:04:45 2013 +0200
@@ -327,6 +327,10 @@
info.remote_ip = client->ip;
info.local_port = client->local_port;
info.remote_port = client->remote_port;
+ info.real_local_ip = client->real_local_ip;
+ info.real_remote_ip = client->real_remote_ip;
+ info.real_local_port = client->real_local_port;
+ info.real_remote_port = client->real_remote_port;
info.initial_resp_base64 = initial_resp_base64;
client->auth_request =
More information about the dovecot-cvs
mailing list