INN commit: trunk (3 files)

INN Commit rra at isc.org
Sat Dec 29 13:39:57 UTC 2018


    Date: Saturday, December 29, 2018 @ 05:39:56
  Author: iulius
Revision: 10319

nnrpd:  improve logging of failed connections

Properly logs the hostname of clients whose connection failed owing to
an issue during the negotiation of a TLS session or high load average.
Nothing was previously logged.

Thanks to Paolo Amoroso for the bug report.

Modified:
  trunk/doc/pod/news.pod
  trunk/nnrpd/nnrpd.c
  trunk/scripts/innreport_inn.pm

--------------------------+
 doc/pod/news.pod         |    6 ++++++
 nnrpd/nnrpd.c            |   23 ++++++++++++++---------
 scripts/innreport_inn.pm |    3 ++-
 3 files changed, 22 insertions(+), 10 deletions(-)

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2018-12-17 15:08:37 UTC (rev 10318)
+++ doc/pod/news.pod	2018-12-29 13:39:56 UTC (rev 10319)
@@ -45,6 +45,12 @@
 the reason in response to CHECK and TAKETHIS commands.  Previously,
 the reason was given only for the IHAVE command.
 
+=item *
+
+B<nnrpd> now properly logs the hostname of clients whose connection
+failed owing to an issue during the negotiation of a TLS session or
+high load average.
+
 =back
 
 =head1 Changes in 2.6.2

Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c	2018-12-17 15:08:37 UTC (rev 10318)
+++ nnrpd/nnrpd.c	2018-12-29 13:39:56 UTC (rev 10319)
@@ -580,10 +580,10 @@
 
 
 /*
-**  Determine access rights of the client.
+**  Determine hostname and IP of the client, amongst other information.
 */
 static void
-StartConnection(unsigned short port)
+GetClientInfo(unsigned short port)
 {
     static const char *default_host_error = "unknown error";
     struct sockaddr_storage ssc, sss;
@@ -668,10 +668,6 @@
 #endif
 
     notice("%s (%s) connect - port %u", Client.host, Client.ip, port);
-
-    PERMgetinitialaccess(NNRPACCESS);
-    PERMgetaccess(true);
-    PERMgetpermissions();
 }
 
 
@@ -1328,7 +1324,10 @@
     if (initialSSL) {
         tls_init();
         if (tls_start_servertls(0, 1) == -1) {
-            Reply("%d Encrypted TLS connection failed\r\n", NNTP_FAIL_TERMINATING);
+            GetClientInfo(ListenPort);
+            notice("%s failure to negotiate TLS session", Client.host);
+            Reply("%d Encrypted TLS connection failed\r\n",
+                  NNTP_FAIL_TERMINATING);
             ExitWithStats(1, false);
         }
         encryption_layer_on = true;
@@ -1351,7 +1350,9 @@
             warn("cannot obtain system load");
         else {
             if ((unsigned long)(load[0] + 0.5) > innconf->nnrpdloadlimit) {
-                syslog(L_NOTICE, "load %.2f > %lu", load[0], innconf->nnrpdloadlimit);
+                GetClientInfo(ListenPort);
+                notice("%s load %.2f > %lu", Client.host,
+                       load[0], innconf->nnrpdloadlimit);
                 Reply("%d load at %.2f, try later\r\n", NNTP_FAIL_TERMINATING,
                       load[0]);
                 ExitWithStats(1, true);
@@ -1363,7 +1364,11 @@
     xsignal(SIGPIPE, CatchPipe);
 
     /* Get permissions and see if we can talk to this client. */
-    StartConnection(ListenPort);
+    GetClientInfo(ListenPort);
+    PERMgetinitialaccess(NNRPACCESS);
+    PERMgetaccess(true);
+    PERMgetpermissions();
+
     if (!PERMcanread && !PERMcanpost && !PERMneedauth) {
 	syslog(L_NOTICE, "%s no_permission", Client.host);
 	Reply("%d You have no permission to talk.  Goodbye!\r\n",

Modified: scripts/innreport_inn.pm
===================================================================
--- scripts/innreport_inn.pm	2018-12-17 15:08:37 UTC (rev 10318)
+++ scripts/innreport_inn.pm	2018-12-29 13:39:56 UTC (rev 10319)
@@ -1705,12 +1705,13 @@
     }
     # can't getpeername
     if ($left =~ /\? can\'t getpeername/o) {
-      # $nnrpd_getpeername++;
       $nnrpd_gethostbyaddr{"? (can't getpeername)"}++;
       return 1;
     }
     # can't getsockname
     return 1 if $left =~ /^\S+ can\'t getsockname$/o;
+    # can't initialize TLS session
+    return 1 if $left =~ /^\S+ failure to negotiate TLS session$/o;
     # reverse lookup failed
     return 1 if $left =~ /^\? reverse lookup for \S+ failed: .* -- using IP address for access$/o;
     # profile timer



More information about the inn-committers mailing list