xref: /netbsd-src/usr.sbin/tcpdchk/tcpdchk.c (revision 421949a31fb0942d3d87278998c2d7d432d8b3cb) 
1*421949a3Ssevan /*	$NetBSD: tcpdchk.c,v 1.13 2018/01/23 21:06:26 sevan Exp $	*/
2f8dba09cSchristos 
384b4e9c0Scjs  /*
484b4e9c0Scjs   * tcpdchk - examine all tcpd access control rules and inetd.conf entries
584b4e9c0Scjs   *
684b4e9c0Scjs   * Usage: tcpdchk [-a] [-d] [-i inet_conf] [-v]
784b4e9c0Scjs   *
884b4e9c0Scjs   * -a: complain about implicit "allow" at end of rule.
984b4e9c0Scjs   *
1084b4e9c0Scjs   * -d: rules in current directory.
1184b4e9c0Scjs   *
1284b4e9c0Scjs   * -i: location of inetd.conf file.
1384b4e9c0Scjs   *
1484b4e9c0Scjs   * -v: show all rules.
1584b4e9c0Scjs   *
1684b4e9c0Scjs   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
1784b4e9c0Scjs   */
1884b4e9c0Scjs 
19f8dba09cSchristos #include <sys/cdefs.h>
2084b4e9c0Scjs #ifndef lint
21f8dba09cSchristos #if 0
225874d1fcSitojun static char sccsid[] = "@(#) tcpdchk.c 1.8 97/02/12 02:13:25";
23f8dba09cSchristos #else
24*421949a3Ssevan __RCSID("$NetBSD: tcpdchk.c,v 1.13 2018/01/23 21:06:26 sevan Exp $");
25f8dba09cSchristos #endif
2684b4e9c0Scjs #endif
2784b4e9c0Scjs 
2884b4e9c0Scjs /* System libraries. */
2984b4e9c0Scjs 
3084b4e9c0Scjs #include <sys/types.h>
3184b4e9c0Scjs #include <sys/stat.h>
3284b4e9c0Scjs #include <netinet/in.h>
3384b4e9c0Scjs #include <arpa/inet.h>
3484b4e9c0Scjs #include <stdio.h>
3584b4e9c0Scjs #include <syslog.h>
3684b4e9c0Scjs #include <setjmp.h>
3784b4e9c0Scjs #include <errno.h>
3884b4e9c0Scjs #include <netdb.h>
3984b4e9c0Scjs #include <string.h>
40f8dba09cSchristos #include <stdlib.h>
41f8dba09cSchristos #include <unistd.h>
4284b4e9c0Scjs 
4384b4e9c0Scjs #ifndef INADDR_NONE
4484b4e9c0Scjs #define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
4584b4e9c0Scjs #endif
4684b4e9c0Scjs 
4784b4e9c0Scjs #ifndef S_ISDIR
4884b4e9c0Scjs #define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
4984b4e9c0Scjs #endif
5084b4e9c0Scjs 
5184b4e9c0Scjs /* Application-specific. */
5284b4e9c0Scjs 
5384b4e9c0Scjs #include "tcpd.h"
5484b4e9c0Scjs #include "inetcf.h"
5584b4e9c0Scjs #include "scaffold.h"
5684b4e9c0Scjs 
57ee880a75Schristos #ifdef NO_NETGRENT
58ee880a75Schristos 	/* SCO has no *netgrent() support */
59ee880a75Schristos #else
60ee880a75Schristos # ifdef NETGROUP
61ee880a75Schristos #  include <netgroup.h>
62ee880a75Schristos # endif
63ee880a75Schristos #endif
64ee880a75Schristos 
6584b4e9c0Scjs  /*
6684b4e9c0Scjs   * Stolen from hosts_access.c...
6784b4e9c0Scjs   */
68d6a05e11Smatt static const char sep[] = ", \t\n";
6984b4e9c0Scjs 
7084b4e9c0Scjs #define	BUFLEN 2048
7184b4e9c0Scjs 
7284b4e9c0Scjs int     resident = 0;
7384b4e9c0Scjs int     hosts_access_verbose = 0;
74d6a05e11Smatt const char *hosts_allow_table = HOSTS_ALLOW;
75d6a05e11Smatt const char *hosts_deny_table = HOSTS_DENY;
7684b4e9c0Scjs extern jmp_buf tcpd_buf;
7784b4e9c0Scjs 
7884b4e9c0Scjs  /*
7984b4e9c0Scjs   * Local stuff.
8084b4e9c0Scjs   */
81d6a05e11Smatt static void usage(void);
82d6a05e11Smatt static void parse_table(const char *, struct request_info *);
83d6a05e11Smatt static void print_list(char *, char *);
84d6a05e11Smatt static void check_daemon_list(char *);
85d6a05e11Smatt static void check_client_list(char *);
86d6a05e11Smatt static void check_daemon(char *);
87d6a05e11Smatt static void check_user(char *);
882f7d82e6Sitojun #ifdef INET6
89d6a05e11Smatt static int check_inet_addr(char *);
902f7d82e6Sitojun #endif
91d6a05e11Smatt static int check_host(char *);
92d6a05e11Smatt static int reserved_name(char *);
93f8dba09cSchristos 
9484b4e9c0Scjs #define PERMIT	1
9584b4e9c0Scjs #define DENY	0
9684b4e9c0Scjs 
9784b4e9c0Scjs #define YES	1
9884b4e9c0Scjs #define	NO	0
9984b4e9c0Scjs 
10084b4e9c0Scjs static int defl_verdict;
10184b4e9c0Scjs static char *myname;
10284b4e9c0Scjs static int allow_check;
10384b4e9c0Scjs static char *inetcf;
10484b4e9c0Scjs 
105d6a05e11Smatt int
main(int argc,char ** argv)106d6a05e11Smatt main(int argc, char **argv)
10784b4e9c0Scjs {
10884b4e9c0Scjs     struct request_info request;
10984b4e9c0Scjs     struct stat st;
11084b4e9c0Scjs     int     c;
11184b4e9c0Scjs 
11284b4e9c0Scjs     myname = argv[0];
11384b4e9c0Scjs 
11484b4e9c0Scjs     /*
11584b4e9c0Scjs      * Parse the JCL.
11684b4e9c0Scjs      */
11747852f1fSlukem     while ((c = getopt(argc, argv, "adi:v")) != -1) {
11884b4e9c0Scjs 	switch (c) {
11984b4e9c0Scjs 	case 'a':
12084b4e9c0Scjs 	    allow_check = 1;
12184b4e9c0Scjs 	    break;
12284b4e9c0Scjs 	case 'd':
12384b4e9c0Scjs 	    hosts_allow_table = "hosts.allow";
12484b4e9c0Scjs 	    hosts_deny_table = "hosts.deny";
12584b4e9c0Scjs 	    break;
12684b4e9c0Scjs 	case 'i':
12784b4e9c0Scjs 	    inetcf = optarg;
12884b4e9c0Scjs 	    break;
12984b4e9c0Scjs 	case 'v':
13084b4e9c0Scjs 	    hosts_access_verbose++;
13184b4e9c0Scjs 	    break;
13284b4e9c0Scjs 	default:
13384b4e9c0Scjs 	    usage();
13484b4e9c0Scjs 	    /* NOTREACHED */
13584b4e9c0Scjs 	}
13684b4e9c0Scjs     }
13784b4e9c0Scjs     if (argc != optind)
13884b4e9c0Scjs 	usage();
13984b4e9c0Scjs 
14084b4e9c0Scjs     /*
14184b4e9c0Scjs      * When confusion really strikes...
14284b4e9c0Scjs      */
14384b4e9c0Scjs     if (check_path(REAL_DAEMON_DIR, &st) < 0) {
14484b4e9c0Scjs 	tcpd_warn("REAL_DAEMON_DIR %s: %m", REAL_DAEMON_DIR);
14584b4e9c0Scjs     } else if (!S_ISDIR(st.st_mode)) {
14684b4e9c0Scjs 	tcpd_warn("REAL_DAEMON_DIR %s is not a directory", REAL_DAEMON_DIR);
14784b4e9c0Scjs     }
14884b4e9c0Scjs 
14984b4e9c0Scjs     /*
15084b4e9c0Scjs      * Process the inet configuration file (or its moral equivalent). This
15184b4e9c0Scjs      * information is used later to find references in hosts.allow/deny to
15284b4e9c0Scjs      * unwrapped services, and other possible problems.
15384b4e9c0Scjs      */
15484b4e9c0Scjs     inetcf = inet_cfg(inetcf);
15584b4e9c0Scjs     if (hosts_access_verbose)
15684b4e9c0Scjs 	printf("Using network configuration file: %s\n", inetcf);
15784b4e9c0Scjs 
15884b4e9c0Scjs     /*
15984b4e9c0Scjs      * These are not run from inetd but may have built-in access control.
16084b4e9c0Scjs      */
16184b4e9c0Scjs     inet_set("portmap", WR_NOT);
16284b4e9c0Scjs     inet_set("rpcbind", WR_NOT);
16384b4e9c0Scjs 
16484b4e9c0Scjs     /*
16584b4e9c0Scjs      * Check accessibility of access control files.
16684b4e9c0Scjs      */
16784b4e9c0Scjs     (void) check_path(hosts_allow_table, &st);
16884b4e9c0Scjs     (void) check_path(hosts_deny_table, &st);
16984b4e9c0Scjs 
17084b4e9c0Scjs     /*
17184b4e9c0Scjs      * Fake up an arbitrary service request.
17284b4e9c0Scjs      */
17384b4e9c0Scjs     request_init(&request,
17484b4e9c0Scjs 		 RQ_DAEMON, "daemon_name",
17584b4e9c0Scjs 		 RQ_SERVER_NAME, "server_hostname",
17684b4e9c0Scjs 		 RQ_SERVER_ADDR, "server_addr",
17784b4e9c0Scjs 		 RQ_USER, "user_name",
17884b4e9c0Scjs 		 RQ_CLIENT_NAME, "client_hostname",
17984b4e9c0Scjs 		 RQ_CLIENT_ADDR, "client_addr",
18084b4e9c0Scjs 		 RQ_FILE, 1,
18184b4e9c0Scjs 		 0);
18284b4e9c0Scjs 
18384b4e9c0Scjs     /*
18484b4e9c0Scjs      * Examine all access-control rules.
18584b4e9c0Scjs      */
18684b4e9c0Scjs     defl_verdict = PERMIT;
18784b4e9c0Scjs     parse_table(hosts_allow_table, &request);
18884b4e9c0Scjs     defl_verdict = DENY;
18984b4e9c0Scjs     parse_table(hosts_deny_table, &request);
19084b4e9c0Scjs     return (0);
19184b4e9c0Scjs }
19284b4e9c0Scjs 
19384b4e9c0Scjs /* usage - explain */
19484b4e9c0Scjs 
195d6a05e11Smatt static void
usage(void)196d6a05e11Smatt usage(void)
19784b4e9c0Scjs {
19884b4e9c0Scjs     fprintf(stderr, "usage: %s [-a] [-d] [-i inet_conf] [-v]\n", myname);
19984b4e9c0Scjs     fprintf(stderr, "	-a: report rules with implicit \"ALLOW\" at end\n");
20084b4e9c0Scjs     fprintf(stderr, "	-d: use allow/deny files in current directory\n");
20184b4e9c0Scjs     fprintf(stderr, "	-i: location of inetd.conf file\n");
20284b4e9c0Scjs     fprintf(stderr, "	-v: list all rules\n");
20384b4e9c0Scjs     exit(1);
20484b4e9c0Scjs }
20584b4e9c0Scjs 
20684b4e9c0Scjs /* parse_table - like table_match(), but examines _all_ entries */
20784b4e9c0Scjs 
208d6a05e11Smatt static void
parse_table(const char * table,struct request_info * request)209d6a05e11Smatt parse_table(const char *table, struct request_info *request)
21084b4e9c0Scjs {
21184b4e9c0Scjs     FILE   *fp;
212d6a05e11Smatt     volatile int     real_verdict;
21384b4e9c0Scjs     char    sv_list[BUFLEN];		/* becomes list of daemons */
21484b4e9c0Scjs     char   *cl_list;			/* becomes list of requests */
21584b4e9c0Scjs     char   *sh_cmd;			/* becomes optional shell command */
21684b4e9c0Scjs     int     verdict;
217d6a05e11Smatt     volatile struct tcpd_context saved_context;
21884b4e9c0Scjs 
21984b4e9c0Scjs     saved_context = tcpd_context;		/* stupid compilers */
22084b4e9c0Scjs 
221f8dba09cSchristos     if ((fp = fopen(table, "r")) != NULL) {
22284b4e9c0Scjs 	tcpd_context.file = table;
22384b4e9c0Scjs 	tcpd_context.line = 0;
22484b4e9c0Scjs 	while (xgets(sv_list, sizeof(sv_list), fp)) {
22584b4e9c0Scjs 	    if (sv_list[strlen(sv_list) - 1] != '\n') {
22684b4e9c0Scjs 		tcpd_warn("missing newline or line too long");
22784b4e9c0Scjs 		continue;
22884b4e9c0Scjs 	    }
22984b4e9c0Scjs 	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
23084b4e9c0Scjs 		continue;
23184b4e9c0Scjs 	    if ((cl_list = split_at(sv_list, ':')) == 0) {
23284b4e9c0Scjs 		tcpd_warn("missing \":\" separator");
23384b4e9c0Scjs 		continue;
23484b4e9c0Scjs 	    }
23584b4e9c0Scjs 	    sh_cmd = split_at(cl_list, ':');
23684b4e9c0Scjs 
23784b4e9c0Scjs 	    if (hosts_access_verbose)
23884b4e9c0Scjs 		printf("\n>>> Rule %s line %d:\n",
23984b4e9c0Scjs 		       tcpd_context.file, tcpd_context.line);
24084b4e9c0Scjs 
24184b4e9c0Scjs 	    if (hosts_access_verbose)
24284b4e9c0Scjs 		print_list("daemons:  ", sv_list);
24384b4e9c0Scjs 	    check_daemon_list(sv_list);
24484b4e9c0Scjs 
24584b4e9c0Scjs 	    if (hosts_access_verbose)
24684b4e9c0Scjs 		print_list("clients:  ", cl_list);
24784b4e9c0Scjs 	    check_client_list(cl_list);
24884b4e9c0Scjs 
24984b4e9c0Scjs #ifdef PROCESS_OPTIONS
25084b4e9c0Scjs 	    real_verdict = defl_verdict;
25184b4e9c0Scjs 	    if (sh_cmd) {
2525874d1fcSitojun 		verdict = setjmp(tcpd_buf);
2535874d1fcSitojun 		if (verdict != 0) {
25484b4e9c0Scjs 		    real_verdict = (verdict == AC_PERMIT);
25584b4e9c0Scjs 		} else {
25684b4e9c0Scjs 		    dry_run = 1;
25784b4e9c0Scjs 		    process_options(sh_cmd, request);
25884b4e9c0Scjs 		    if (dry_run == 1 && real_verdict && allow_check)
25984b4e9c0Scjs 			tcpd_warn("implicit \"allow\" at end of rule");
26084b4e9c0Scjs 		}
26184b4e9c0Scjs 	    } else if (defl_verdict && allow_check) {
26284b4e9c0Scjs 		tcpd_warn("implicit \"allow\" at end of rule");
26384b4e9c0Scjs 	    }
26484b4e9c0Scjs 	    if (hosts_access_verbose)
26584b4e9c0Scjs 		printf("access:   %s\n", real_verdict ? "granted" : "denied");
26684b4e9c0Scjs #else
26784b4e9c0Scjs 	    if (sh_cmd)
26884b4e9c0Scjs 		shell_cmd(percent_x(buf, sizeof(buf), sh_cmd, request));
26984b4e9c0Scjs 	    if (hosts_access_verbose)
27084b4e9c0Scjs 		printf("access:   %s\n", defl_verdict ? "granted" : "denied");
27184b4e9c0Scjs #endif
27284b4e9c0Scjs 	}
27384b4e9c0Scjs 	(void) fclose(fp);
27484b4e9c0Scjs     } else if (errno != ENOENT) {
27584b4e9c0Scjs 	tcpd_warn("cannot open %s: %m", table);
27684b4e9c0Scjs     }
27784b4e9c0Scjs     tcpd_context = saved_context;
27884b4e9c0Scjs }
27984b4e9c0Scjs 
28084b4e9c0Scjs /* print_list - pretty-print a list */
28184b4e9c0Scjs 
print_list(char * title,char * list)282*421949a3Ssevan static void print_list(char *title, char *list)
28384b4e9c0Scjs {
28484b4e9c0Scjs     char    buf[BUFLEN];
28584b4e9c0Scjs     char   *cp;
28684b4e9c0Scjs     char   *next;
28784b4e9c0Scjs 
28884b4e9c0Scjs     fputs(title, stdout);
289c2e037e2Sitojun     strlcpy(buf, list, sizeof(buf));
29084b4e9c0Scjs 
29184b4e9c0Scjs     for (cp = strtok(buf, sep); cp != 0; cp = next) {
29284b4e9c0Scjs 	fputs(cp, stdout);
29384b4e9c0Scjs 	next = strtok((char *) 0, sep);
29484b4e9c0Scjs 	if (next != 0)
29584b4e9c0Scjs 	    fputs(" ", stdout);
29684b4e9c0Scjs     }
29784b4e9c0Scjs     fputs("\n", stdout);
29884b4e9c0Scjs }
29984b4e9c0Scjs 
30084b4e9c0Scjs /* check_daemon_list - criticize daemon list */
30184b4e9c0Scjs 
check_daemon_list(char * list)302*421949a3Ssevan static void check_daemon_list(char *list)
30384b4e9c0Scjs {
30484b4e9c0Scjs     char    buf[BUFLEN];
30584b4e9c0Scjs     char   *cp;
30684b4e9c0Scjs     char   *host;
30784b4e9c0Scjs     int     daemons = 0;
30884b4e9c0Scjs 
309c2e037e2Sitojun     strlcpy(buf, list, sizeof(buf));
31084b4e9c0Scjs 
31184b4e9c0Scjs     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
31284b4e9c0Scjs 	if (STR_EQ(cp, "EXCEPT")) {
31384b4e9c0Scjs 	    daemons = 0;
31484b4e9c0Scjs 	} else {
31584b4e9c0Scjs 	    daemons++;
31684b4e9c0Scjs 	    if ((host = split_at(cp + 1, '@')) != 0 && check_host(host) > 1) {
31784b4e9c0Scjs 		tcpd_warn("host %s has more than one address", host);
31884b4e9c0Scjs 		tcpd_warn("(consider using an address instead)");
31984b4e9c0Scjs 	    }
32084b4e9c0Scjs 	    check_daemon(cp);
32184b4e9c0Scjs 	}
32284b4e9c0Scjs     }
32384b4e9c0Scjs     if (daemons == 0)
32484b4e9c0Scjs 	tcpd_warn("daemon list is empty or ends in EXCEPT");
32584b4e9c0Scjs }
32684b4e9c0Scjs 
32784b4e9c0Scjs /* check_client_list - criticize client list */
32884b4e9c0Scjs 
check_client_list(char * list)329*421949a3Ssevan static void check_client_list(char *list)
33084b4e9c0Scjs {
33184b4e9c0Scjs     char    buf[BUFLEN];
33284b4e9c0Scjs     char   *cp;
33384b4e9c0Scjs     char   *host;
33484b4e9c0Scjs     int     clients = 0;
3351e8c736aSitojun #ifdef INET6
3361e8c736aSitojun     int l;
3371e8c736aSitojun #endif
33884b4e9c0Scjs 
339c2e037e2Sitojun     strlcpy(buf, list, sizeof(buf));
34084b4e9c0Scjs 
34184b4e9c0Scjs     for (cp = strtok(buf, sep); cp != 0; cp = strtok((char *) 0, sep)) {
3421e8c736aSitojun #ifdef INET6
3431e8c736aSitojun 	l = strlen(cp);
3441e8c736aSitojun 	if (cp[0] == '[' && cp[l - 1] == ']') {
3451e8c736aSitojun 	    cp[l - 1] = '\0';
3461e8c736aSitojun 	    cp++;
3471e8c736aSitojun 	}
3481e8c736aSitojun #endif
34984b4e9c0Scjs 	if (STR_EQ(cp, "EXCEPT")) {
35084b4e9c0Scjs 	    clients = 0;
35184b4e9c0Scjs 	} else {
35284b4e9c0Scjs 	    clients++;
353f8dba09cSchristos 	    if ((host = split_at(cp + 1, '@')) != NULL) {	/* user@host */
35484b4e9c0Scjs 		check_user(cp);
35584b4e9c0Scjs 		check_host(host);
35684b4e9c0Scjs 	    } else {
35784b4e9c0Scjs 		check_host(cp);
35884b4e9c0Scjs 	    }
35984b4e9c0Scjs 	}
36084b4e9c0Scjs     }
36184b4e9c0Scjs     if (clients == 0)
36284b4e9c0Scjs 	tcpd_warn("client list is empty or ends in EXCEPT");
36384b4e9c0Scjs }
36484b4e9c0Scjs 
36584b4e9c0Scjs /* check_daemon - criticize daemon pattern */
36684b4e9c0Scjs 
check_daemon(char * pat)367*421949a3Ssevan static void check_daemon(char *pat)
36884b4e9c0Scjs {
36984b4e9c0Scjs     if (pat[0] == '@') {
37084b4e9c0Scjs 	tcpd_warn("%s: daemon name begins with \"@\"", pat);
37184b4e9c0Scjs     } else if (pat[0] == '.') {
37284b4e9c0Scjs 	tcpd_warn("%s: daemon name begins with dot", pat);
37384b4e9c0Scjs     } else if (pat[strlen(pat) - 1] == '.') {
37484b4e9c0Scjs 	tcpd_warn("%s: daemon name ends in dot", pat);
37584b4e9c0Scjs     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)) {
37684b4e9c0Scjs 	 /* void */ ;
37784b4e9c0Scjs     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
37884b4e9c0Scjs 	tcpd_warn("FAIL is no longer recognized");
37984b4e9c0Scjs 	tcpd_warn("(use EXCEPT or DENY instead)");
38084b4e9c0Scjs     } else if (reserved_name(pat)) {
38184b4e9c0Scjs 	tcpd_warn("%s: daemon name may be reserved word", pat);
38284b4e9c0Scjs     } else {
38384b4e9c0Scjs 	switch (inet_get(pat)) {
38484b4e9c0Scjs 	case WR_UNKNOWN:
38584b4e9c0Scjs 	    tcpd_warn("%s: no such process name in %s", pat, inetcf);
38684b4e9c0Scjs 	    inet_set(pat, WR_YES);		/* shut up next time */
38784b4e9c0Scjs 	    break;
38884b4e9c0Scjs 	case WR_NOT:
38984b4e9c0Scjs 	    tcpd_warn("%s: service possibly not wrapped", pat);
39084b4e9c0Scjs 	    inet_set(pat, WR_YES);
39184b4e9c0Scjs 	    break;
39284b4e9c0Scjs 	}
39384b4e9c0Scjs     }
39484b4e9c0Scjs }
39584b4e9c0Scjs 
39684b4e9c0Scjs /* check_user - criticize user pattern */
39784b4e9c0Scjs 
check_user(char * pat)398*421949a3Ssevan static void check_user(char *pat)
39984b4e9c0Scjs {
40084b4e9c0Scjs     if (pat[0] == '@') {			/* @netgroup */
40184b4e9c0Scjs 	tcpd_warn("%s: user name begins with \"@\"", pat);
40284b4e9c0Scjs     } else if (pat[0] == '.') {
40384b4e9c0Scjs 	tcpd_warn("%s: user name begins with dot", pat);
40484b4e9c0Scjs     } else if (pat[strlen(pat) - 1] == '.') {
40584b4e9c0Scjs 	tcpd_warn("%s: user name ends in dot", pat);
40684b4e9c0Scjs     } else if (STR_EQ(pat, "ALL") || STR_EQ(pat, unknown)
40784b4e9c0Scjs 	       || STR_EQ(pat, "KNOWN")) {
40884b4e9c0Scjs 	 /* void */ ;
40984b4e9c0Scjs     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
41084b4e9c0Scjs 	tcpd_warn("FAIL is no longer recognized");
41184b4e9c0Scjs 	tcpd_warn("(use EXCEPT or DENY instead)");
41284b4e9c0Scjs     } else if (reserved_name(pat)) {
41384b4e9c0Scjs 	tcpd_warn("%s: user name may be reserved word", pat);
41484b4e9c0Scjs     }
41584b4e9c0Scjs }
41684b4e9c0Scjs 
4172f7d82e6Sitojun #ifdef INET6
check_inet_addr(char * pat)418*421949a3Ssevan static int check_inet_addr(char *pat)
4192f7d82e6Sitojun {
4202f7d82e6Sitojun 	struct addrinfo *res;
42184b4e9c0Scjs 
4222f7d82e6Sitojun 	res = find_inet_addr(pat, AI_NUMERICHOST);
4232f7d82e6Sitojun 	if (res) {
4242f7d82e6Sitojun 		freeaddrinfo(res);
4252f7d82e6Sitojun 		return 1;
4262f7d82e6Sitojun 	} else
4272f7d82e6Sitojun 		return 0;
4282f7d82e6Sitojun }
4292f7d82e6Sitojun #endif
4302f7d82e6Sitojun 
4312f7d82e6Sitojun /* check_host - criticize host pattern */
check_host(char * pat)432*421949a3Ssevan static int check_host(char *pat)
43384b4e9c0Scjs {
43484b4e9c0Scjs     char   *mask;
43584b4e9c0Scjs     int     addr_count = 1;
43684b4e9c0Scjs 
43784b4e9c0Scjs     if (pat[0] == '@') {			/* @netgroup */
43884b4e9c0Scjs #ifdef NO_NETGRENT
43984b4e9c0Scjs 	/* SCO has no *netgrent() support */
44084b4e9c0Scjs #else
44184b4e9c0Scjs #ifdef NETGROUP
442ee880a75Schristos 	const char   *machinep;
443ee880a75Schristos 	const char   *userp;
444ee880a75Schristos 	const char   *domainp;
44584b4e9c0Scjs 
44684b4e9c0Scjs 	setnetgrent(pat + 1);
44784b4e9c0Scjs 	if (getnetgrent(&machinep, &userp, &domainp) == 0)
44884b4e9c0Scjs 	    tcpd_warn("%s: unknown or empty netgroup", pat + 1);
44984b4e9c0Scjs 	endnetgrent();
45084b4e9c0Scjs #else
45184b4e9c0Scjs 	tcpd_warn("netgroup support disabled");
45284b4e9c0Scjs #endif
45384b4e9c0Scjs #endif
454f8dba09cSchristos     } else if ((mask = split_at(pat, '/')) != NULL) {	/* network/netmask */
4551e8c736aSitojun #ifdef INET6
4562f7d82e6Sitojun 	char *ep;
4571e8c736aSitojun #endif
4581e8c736aSitojun 	if (dot_quad_addr(pat, NULL) != INADDR_NONE
4591e8c736aSitojun 	    || dot_quad_addr(mask, NULL) != INADDR_NONE)
4601e8c736aSitojun 	    ; /*okay*/
4611e8c736aSitojun #ifdef INET6
4622f7d82e6Sitojun 	else if (check_inet_addr(pat) && check_inet_addr(mask))
4631e8c736aSitojun 	    ; /*okay*/
4642f7d82e6Sitojun 	else if (check_inet_addr(pat) &&
4652f7d82e6Sitojun 	    (ep = NULL, strtoul(mask, &ep, 10), ep && !*ep))
4661e8c736aSitojun 	    ; /*okay*/
4671e8c736aSitojun #endif
4681e8c736aSitojun 	else
46984b4e9c0Scjs 	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
47084b4e9c0Scjs     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
47184b4e9c0Scjs 	tcpd_warn("FAIL is no longer recognized");
47284b4e9c0Scjs 	tcpd_warn("(use EXCEPT or DENY instead)");
47384b4e9c0Scjs     } else if (reserved_name(pat)) {		/* other reserved */
47484b4e9c0Scjs 	 /* void */ ;
47584b4e9c0Scjs     } else if (NOT_INADDR(pat)) {		/* internet name */
47684b4e9c0Scjs 	if (pat[strlen(pat) - 1] == '.') {
47784b4e9c0Scjs 	    tcpd_warn("%s: domain or host name ends in dot", pat);
47884b4e9c0Scjs 	} else if (pat[0] != '.') {
47984b4e9c0Scjs 	    addr_count = check_dns(pat);
48084b4e9c0Scjs 	}
48184b4e9c0Scjs     } else {					/* numeric form */
48284b4e9c0Scjs 	if (STR_EQ(pat, "0.0.0.0") || STR_EQ(pat, "255.255.255.255")) {
48384b4e9c0Scjs 	    /* void */ ;
48484b4e9c0Scjs 	} else if (pat[0] == '.') {
48584b4e9c0Scjs 	    tcpd_warn("%s: network number begins with dot", pat);
48684b4e9c0Scjs 	} else if (pat[strlen(pat) - 1] != '.') {
48784b4e9c0Scjs 	    check_dns(pat);
48884b4e9c0Scjs 	}
48984b4e9c0Scjs     }
49084b4e9c0Scjs     return (addr_count);
49184b4e9c0Scjs }
49284b4e9c0Scjs 
49384b4e9c0Scjs /* reserved_name - determine if name is reserved */
49484b4e9c0Scjs 
reserved_name(char * pat)495*421949a3Ssevan static int reserved_name(char *pat)
49684b4e9c0Scjs {
49784b4e9c0Scjs     return (STR_EQ(pat, unknown)
49884b4e9c0Scjs 	    || STR_EQ(pat, "KNOWN")
49984b4e9c0Scjs 	    || STR_EQ(pat, paranoid)
50084b4e9c0Scjs 	    || STR_EQ(pat, "ALL")
50184b4e9c0Scjs 	    || STR_EQ(pat, "LOCAL"));
50284b4e9c0Scjs }
503