Intentionally or not, but the libwrap was written in such manner that
if your /etc/hosts.allow doesn't have any domain names, neither smart
keywords like LOCAL or KNOWN, then it will not try to resolve the
client address during the hosts check. This was achieved with the
NOT_INADDR() check that matched IPv4 addresses/prefixes. Extend this
to also skip resolve if client list token looks like IPv6.
Reviewed by: philip, emaste
PR: 269456
Differential revision: https://reviews.freebsd.org/D40070
Although this code is in contrib/ there is no active upstream.
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36047
yp_get_default_domain is defined in workaround.c but is not declared
in any header file. Tie the declaration to the same #define conditional
used when the function is called, NETGROUP
Now when tcp_wrapper is enabled by inetd -wW,
several accesses which should be permitted are refused only for IPv6,
if hostname is used to decide the host to be allowed.
IPv6 users will be just upset.
About security related concern.
-All extensions are wrapped by #ifdef INET6, so people can completely
disable the extension by recompile libwrap without INET6 option.
-Access via IPv6 is not enabled by default.
People need to enable IPv6 access by changing /etc/inetd.conf at first,
by adding tcp6 and/or tcp46 entries.
-The base of patches are from KAME package and are actually daily used
for more than a year in several Japanese IPv6 environments.
-Patches are reviewed by markm.
Approved by: jkh
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
Reviewed by: markm
Obtained from: KAME project
