Duane Wessels wrote:
> Reading over the patch, a couple of questions come to mind.
Good. Code should be questioned if any doubts.
> Why the 'waits_for_ident' flag, used in client_side.c? To my
> thinking, if the ident lookup is *required* then it should be
> done by the ACL stuff. If people want to to ident lookups, but
> not used for access controls, then it should be "best effort" and
> requests should not be blocked waiting for it.
That is used when ident_lookup is on, to block the request until the
ident lookup is finished. This is to avoid having two ident lookups for
the same request if both ident_lookup and acl ident is used at the same
time. I agree that the optimal implementation of ident_lookup is to do a
purely best effort, but then we need to connect this with ACL ident
processing to avoid having two lookups for the same connection. I have
yet to find a clean way to do this, but see below.
> I have some issues with identAbort(). I don't think that client_side
> really needs to communicate to ident module to abort a request.
> The ident module can detect aborted requests with cbdataValid.
> This can be done both after the ident connection is established
> and again after the ident reply is read. That would make ident
> lookups and callbacks more consistent with other things.
This is to force ident_lookup ident lookups to be closed when the client
connection is closed / aborted. If this isn't done then any user
(allowed or not) can easily create a serious DOS situation when
ident_lookup is on by sending unauthorized/bogous requests while
blocking their ident port.
In the ACL processing you can protect ident lookups with IP masks so it
really isn't that much of a issue there, but it can be in certain
setups.
> Do you have a potential condition where we will start two
> ident lookups? One in ACL code and one in client_side? I didn't
> notice anything to prevent that if people have ident_lookup on
> and use an ACL.
No. The waits_for_ident flag takes care of this. If ident_lookup is on
then ACL processing is delayed until the ident lookup finishes.
Yes. If ident_lookup is off, and the first two requests on the
connection is pipelined then two ident lookups may get started.
It looks like wee need some acl->client_side interface for ident
lookups.. This would solve all these issues: best effort for
ident_lookup on, no more odd code for blocking requests in client_side
waiting for a ident lookup and a clean method for blocking ACL
processing on ident lookups without accidently initiating more than one
ident lookup.
/Henrik
Received on Tue Jul 29 2003 - 13:15:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:02 MST