[nut-Feature Requests][310492] Allow to specify hostnames in ACL (upsd.conf)

Sat Jan 26 19:53:23 UTC 2008

Feature Requests item #310492, was opened at 07/01/2008 09:57
>Status: Closed
Priority: 3
Submitted By: Arnaud Quette (aquette)
Assigned to: Nobody (None)
Summary: Allow to specify hostnames in ACL (upsd.conf) 
Category: None
Group: None

Initial Comment:
allow a new ACL form:
ACL hostname/mask

example:
ACL localhost localhost/32
or
ACL localhost localhost/255.255.255.255

This is obviously reserved to names that can be resolved (so host only?)

----------------------------------------------------------------------

>Comment By: Arnaud Quette (aquette)
Date: 26/01/2008 20:53

Message:
the ACL mechanism has been removed from NUT 2.3.0 development tree.

----------------------------------------------------------------------

Comment By: Arjen de Korte (adkorte-guest)
Date: 07/01/2008 12:44

Message:
Worse, if we do the lookup at connection time this would probably require a reverse lookup, since we'll only see an IP adress (not a hostname). To require the forward records to be setup properly, is tricky and even more so for reverse records. In many installations, rDNS is not configured properly (if at all). Chances are that if it is, the administrator of the network is also smart enough to configure 'upsd.conf' properly too, without having to fallback to specifying. So in reality, the only viable solution would be to do a forward lookup for the hostnames at startup of the server and add these hostnames to the list of IP adresses we accept/reject connections from. I'm starting to doubt if this is worth the effort.

The addition of a netmask is a bad idea anyway. If we want to use DNS for configuration of the ACL's, this should be limited to hostnames only (which don't require a netmask). Throwing a netmask in the mix, is only going to create more confusion (from the days I was hacking on BIND, I don't have high expectations).

----------------------------------------------------------------------

Comment By: Arjen de Korte (adkorte-guest)
Date: 07/01/2008 10:19

Message:
I don't think this is a good idea. Not only because this depends on having DNS setup for the hostnames, but also because there is the problem what we should do when a hostname resolves into multiple IP adresses and/or IPv4/IPv6 adresses. Should we listen on a single adress or all that we can find?

Relying on DNS is very tricky, although we allow this for specifying LISTEN adresses. In the latter case this problem is mitigated because the server simply won't open listening sockets if it can't find an adress to bind to and print an error message. It will do just one or two queries at startup.

There is an additional problem when to do the mapping from hostname to IP adress. If we do it at startup of the server, the hostname (in case of a DHCP client or clients added later on) may not be present yet. This means that we should do a query at connection time (each time a client connects). Besides the load this will cause on the DNS server, the default timeouts for DNS queries (in the order of several seconds) will be too high and clients will start complaining that the server doesn't respond.

----------------------------------------------------------------------

You can respond by visiting: 
http://alioth.debian.org/tracker/?func=detail&atid=411545&aid=310492&group_id=30602