INN commit: trunk (3 files)
INN Commit
rra at isc.org
Sat Dec 29 13:39:57 UTC 2018
Date: Saturday, December 29, 2018 @ 05:39:56
Author: iulius
Revision: 10319
nnrpd: improve logging of failed connections
Properly logs the hostname of clients whose connection failed owing to
an issue during the negotiation of a TLS session or high load average.
Nothing was previously logged.
Thanks to Paolo Amoroso for the bug report.
Modified:
trunk/doc/pod/news.pod
trunk/nnrpd/nnrpd.c
trunk/scripts/innreport_inn.pm
--------------------------+
doc/pod/news.pod | 6 ++++++
nnrpd/nnrpd.c | 23 ++++++++++++++---------
scripts/innreport_inn.pm | 3 ++-
3 files changed, 22 insertions(+), 10 deletions(-)
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2018-12-17 15:08:37 UTC (rev 10318)
+++ doc/pod/news.pod 2018-12-29 13:39:56 UTC (rev 10319)
@@ -45,6 +45,12 @@
the reason in response to CHECK and TAKETHIS commands. Previously,
the reason was given only for the IHAVE command.
+=item *
+
+B<nnrpd> now properly logs the hostname of clients whose connection
+failed owing to an issue during the negotiation of a TLS session or
+high load average.
+
=back
=head1 Changes in 2.6.2
Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c 2018-12-17 15:08:37 UTC (rev 10318)
+++ nnrpd/nnrpd.c 2018-12-29 13:39:56 UTC (rev 10319)
@@ -580,10 +580,10 @@
/*
-** Determine access rights of the client.
+** Determine hostname and IP of the client, amongst other information.
*/
static void
-StartConnection(unsigned short port)
+GetClientInfo(unsigned short port)
{
static const char *default_host_error = "unknown error";
struct sockaddr_storage ssc, sss;
@@ -668,10 +668,6 @@
#endif
notice("%s (%s) connect - port %u", Client.host, Client.ip, port);
-
- PERMgetinitialaccess(NNRPACCESS);
- PERMgetaccess(true);
- PERMgetpermissions();
}
@@ -1328,7 +1324,10 @@
if (initialSSL) {
tls_init();
if (tls_start_servertls(0, 1) == -1) {
- Reply("%d Encrypted TLS connection failed\r\n", NNTP_FAIL_TERMINATING);
+ GetClientInfo(ListenPort);
+ notice("%s failure to negotiate TLS session", Client.host);
+ Reply("%d Encrypted TLS connection failed\r\n",
+ NNTP_FAIL_TERMINATING);
ExitWithStats(1, false);
}
encryption_layer_on = true;
@@ -1351,7 +1350,9 @@
warn("cannot obtain system load");
else {
if ((unsigned long)(load[0] + 0.5) > innconf->nnrpdloadlimit) {
- syslog(L_NOTICE, "load %.2f > %lu", load[0], innconf->nnrpdloadlimit);
+ GetClientInfo(ListenPort);
+ notice("%s load %.2f > %lu", Client.host,
+ load[0], innconf->nnrpdloadlimit);
Reply("%d load at %.2f, try later\r\n", NNTP_FAIL_TERMINATING,
load[0]);
ExitWithStats(1, true);
@@ -1363,7 +1364,11 @@
xsignal(SIGPIPE, CatchPipe);
/* Get permissions and see if we can talk to this client. */
- StartConnection(ListenPort);
+ GetClientInfo(ListenPort);
+ PERMgetinitialaccess(NNRPACCESS);
+ PERMgetaccess(true);
+ PERMgetpermissions();
+
if (!PERMcanread && !PERMcanpost && !PERMneedauth) {
syslog(L_NOTICE, "%s no_permission", Client.host);
Reply("%d You have no permission to talk. Goodbye!\r\n",
Modified: scripts/innreport_inn.pm
===================================================================
--- scripts/innreport_inn.pm 2018-12-17 15:08:37 UTC (rev 10318)
+++ scripts/innreport_inn.pm 2018-12-29 13:39:56 UTC (rev 10319)
@@ -1705,12 +1705,13 @@
}
# can't getpeername
if ($left =~ /\? can\'t getpeername/o) {
- # $nnrpd_getpeername++;
$nnrpd_gethostbyaddr{"? (can't getpeername)"}++;
return 1;
}
# can't getsockname
return 1 if $left =~ /^\S+ can\'t getsockname$/o;
+ # can't initialize TLS session
+ return 1 if $left =~ /^\S+ failure to negotiate TLS session$/o;
# reverse lookup failed
return 1 if $left =~ /^\? reverse lookup for \S+ failed: .* -- using IP address for access$/o;
# profile timer
More information about the inn-committers
mailing list