[avahi] [PATCH] [RFC] Untested interface limitation patch

Stefan de Konink avahi at ml.kinkrsoftware.nl
Mon May 12 09:04:23 PDT 2008 

Hi,

Lennart Poettering schreef:
> On Mon, 12.05.08 01:45, Stefan de Konink (avahi at ml.kinkrsoftware.nl) wrote:
> 
>>  > > I'd prefer if we'd also get an interface blacklist at the same time
>>  > > as a whitelist, but that wouldn't hinder me to merge your
>>  > > patch. (i.e. "deny-interfaces" would be cool in addition to
>>  > > "allow-interface").
>>
>> I'll do this too then. Since it is the same function. What would be the
>> resolve scenario? First deny then allow?
> 
> For security reasons deny should have the last word.

First deny is parsed. If any interface still passes that list, it comes
in the allow list, if it is allowed it will be added. If allow is unset,
it will be added too.

> I'd also suggest adding a warning to syslog when allow-interfaces is
> set to a non-empty list and deny-interfaces is set too (and vice
> versa). Should be pretty simple, and might help people identify
> configuration problems. After all it doesn't make sense to have both a
> white and a black list at the same time -- for a binary question.

Done.

>>  >> > > -INT avahi_interface_is_relevant(AvahiInterface *i) {
>>  >> > > +static int avahi_interface_is_relevant_iter(AvahiInterface *i) {
>>  > >
>>  > > Hmm, why did you call this "_iter"? I see no iterator involved here */
>>
>> Basically because of the function under it. Any good hints? _static,
>> _private, _child?
> 
> _internal

Check.

>>  >> > >      AvahiInterfaceAddress *a;
>>  >> > >
>>  >> > > -    assert(i);
>>  >> > > +    assert(i); // Not really required
>>  > >
>>  > > Hehe, *no* assert is really required.
>>
>> It is already done by its parent. (The function under it that was
>> actually the added code, and nobody should call this static one
>> anyway)
> 
> /me loves his paranoia.

/me admires Lennart, and specially for him added an extra comment C
style on another paranoia code part.


>>  > > Otherwise I am happy, no further nitpicking  ;-)
>>
>> Since nobody tested the patch on working I hope you will volunteer
>> ;)
> 
> I kind of assumed that the one who submitted the patch made sure it
> actually does what is advertised. ;-)

Tested! See attachment. Sadly I do not yet see the warning if 
'allow-interfaces' is empty. Is it possible that the key is ignored?



Sign-off-by: Stefan de Konink <dekonink at kinkrsoftware.nl>


Stefan

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: avahi-allow-deny-interfaces.patch
Url: http://lists.freedesktop.org/archives/avahi/attachments/20080512/14fc799c/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: avahi-output
Url: http://lists.freedesktop.org/archives/avahi/attachments/20080512/14fc799c/attachment-0003.txt

More information about the avahi mailing list