diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-10-06 22:47:25 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-10-06 22:47:25 -0700 |
| commit | 063daed4b43090a3e37f29e9796ffce0861573f1 (patch) | |
| tree | 38ec16696872ff28393e0c4798f0ed63a8809527 | |
| parent | e266d1015912d5e9458351e6deed548d2755eedb (diff) | |
Strip trailing whitespace
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | Makefile.am | 6 | ||||
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | io.c | 304 | ||||
| -rw-r--r-- | io.h | 2 | ||||
| -rw-r--r-- | misc.c | 412 | ||||
| -rw-r--r-- | misc.h | 24 | ||||
| -rw-r--r-- | pm.c | 92 | ||||
| -rw-r--r-- | pm.h | 6 | ||||
| -rw-r--r-- | transport.c | 78 | ||||
| -rw-r--r-- | transport.h | 6 | ||||
| -rw-r--r-- | xfwp.c | 58 | ||||
| -rw-r--r-- | xfwp.h | 28 | ||||
| -rw-r--r-- | xfwp.man | 224 |
13 files changed, 622 insertions, 622 deletions
diff --git a/Makefile.am b/Makefile.am index c9d044b..dfb21a4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,6 @@ -# +# # Copyright 2005 Red Hat, Inc. -# +# # Permission to use, copy, modify, distribute, and sell this software and its # documentation for any purpose is hereby granted without fee, provided that # the above copyright notice appear in all copies and that both that @@ -10,7 +10,7 @@ # specific, written prior permission. Red Hat makes no # representations about the suitability of this software for any purpose. It # is provided "as is" without express or implied warranty. -# +# # RED HAT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, # INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO # EVENT SHALL RED HAT BE LIABLE FOR ANY SPECIAL, INDIRECT OR diff --git a/configure.ac b/configure.ac index 42195a3..41eda2a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ dnl Copyright 2005 Red Hat, Inc. -dnl +dnl dnl Permission to use, copy, modify, distribute, and sell this software and its dnl documentation for any purpose is hereby granted without fee, provided that dnl the above copyright notice appear in all copies and that both that @@ -10,7 +10,7 @@ dnl advertising or publicity pertaining to distribution of the software without dnl specific, written prior permission. Red Hat makes no dnl representations about the suitability of this software for any purpose. It dnl is provided "as is" without express or implied warranty. -dnl +dnl dnl RED HAT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, dnl INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO dnl EVENT SHALL RED HAT BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -58,14 +58,14 @@ X Window System is a trademark of The Open Group. * Error messages returned to clients who are denied access */ static char * server_reason[2] = { - "Authentication rejected", + "Authentication rejected", "permission denied" -}; +}; static void RemoveFDFromServerListenArray ( - int fd_counter, + int fd_counter, fd_set * rinit, int num_servers) { @@ -100,22 +100,22 @@ RemoveFDFromServerListenArray ( static void doProcessWritables( int fd_counter, - fd_set * rinit, + fd_set * rinit, fd_set * winit) { - int bytes_written; + int bytes_written; int remainder; /* * start off by writing from the selected fd to its connection - * partner + * partner */ if (client_conn_array[fd_counter]->wbytes) { /* * See how much you manage to write */ - bytes_written = write (fd_counter, + bytes_written = write (fd_counter, client_conn_array[fd_counter]->writebuf, client_conn_array[fd_counter]->wbytes); /* @@ -125,7 +125,7 @@ doProcessWritables( { /* * no process attached to the other end of this socket - */ + */ if (errno == EPIPE) { (void) fprintf (stderr, "write error - EPIPE\n"); @@ -143,9 +143,9 @@ doProcessWritables( FD_CLR(client_conn_array[fd_counter]->conn_to, rinit); FD_CLR(client_conn_array[fd_counter]->conn_to, winit); (void) close (client_conn_array[fd_counter]->conn_to); - } + } - client_conn_array[client_conn_array[fd_counter]->conn_to]->conn_to + client_conn_array[client_conn_array[fd_counter]->conn_to]->conn_to = -1; client_conn_array[fd_counter]->conn_to = -1; if (client_conn_array[fd_counter]->source) @@ -174,7 +174,7 @@ doProcessWritables( } else /* * writebuffer *must* be empty, so zero byte counter - */ + */ client_conn_array[fd_counter]->wbytes = 0; /* @@ -182,9 +182,9 @@ doProcessWritables( */ if ((client_conn_array[fd_counter]->conn_to != -1) && (client_conn_array[client_conn_array[fd_counter]->conn_to]->rbytes)) - doCopyFromTo(client_conn_array[fd_counter]->conn_to, - fd_counter, - rinit, + doCopyFromTo(client_conn_array[fd_counter]->conn_to, + fd_counter, + rinit, winit); /* @@ -211,7 +211,7 @@ doProcessWritables( FD_CLR(fd_counter, winit); } /* - * since we just wrote data to the conn_to fd, mark it as ready + * since we just wrote data to the conn_to fd, mark it as ready * to check for reading when we go through select() the next time */ if (client_conn_array[fd_counter] != NULL) @@ -222,18 +222,18 @@ doProcessWritables( { /* * There was nothing to write on this fd (can't see how we'd get - * here if select() returned this fd as writable, but it's in - * XForward so who am I to say?!) + * here if select() returned this fd as writable, but it's in + * XForward so who am I to say?!) */ if ((client_conn_array[fd_counter]->conn_to != -1) && (client_conn_array[client_conn_array[fd_counter]->conn_to]->rbytes)) { - doCopyFromTo (client_conn_array[fd_counter]->conn_to, + doCopyFromTo (client_conn_array[fd_counter]->conn_to, fd_counter, - rinit, + rinit, winit); /* - * if you got anything to write, then proceed to next + * if you got anything to write, then proceed to next * iter of select() */ if (client_conn_array[fd_counter]->wbytes) @@ -242,10 +242,10 @@ doProcessWritables( /* * You didn't get anything from that copy; check to see if it was - * because the readables handler marked the fd closed; if so, - * close this association; otherwise, simply clear the fd_set - * writable mask for this fd - */ + * because the readables handler marked the fd closed; if so, + * close this association; otherwise, simply clear the fd_set + * writable mask for this fd + */ if (client_conn_array[fd_counter]->wclose) { FD_CLR(fd_counter, rinit); @@ -295,15 +295,15 @@ ProcessNewPMConnection ( } if (pm_idx >= config_info->num_pm_conns) { - (void) fprintf (stderr, + (void) fprintf (stderr, "Maximum number of PM connections has been reached (%d)\n", config_info->num_pm_conns); - + /* * Must accept and then close this connection or the PM will * continue to poll. */ - temp_obj = *listen_objects; + temp_obj = *listen_objects; new_ice_conn = IceAcceptConnection(temp_obj[listen_fd], &accept_status); if (new_ice_conn) IceCloseConnection(new_ice_conn); @@ -312,14 +312,14 @@ ProcessNewPMConnection ( } /* - * accept the connection if you can, use pm_listen_array + * accept the connection if you can, use pm_listen_array * index to index into ICE listen_object list (this is because the * listen_objects list must correspond to the pm_listen_array) */ - temp_obj = *listen_objects; + temp_obj = *listen_objects; new_ice_conn = IceAcceptConnection(temp_obj[listen_fd], &accept_status); if (!new_ice_conn) - { + { static int been_here; /* @@ -338,14 +338,14 @@ ProcessNewPMConnection ( * extract the fd from this new connection; remember, the fd of * the listen socket is *not* the fd of the actual connection! */ - temp_sock_fd = IceConnectionNumber(new_ice_conn); + temp_sock_fd = IceConnectionNumber(new_ice_conn); /* * before we get any further, do a config check on the new ICE * connection; start by using getpeername() to get endpoint info */ - retval = getpeername(temp_sock_fd, - (struct sockaddr*)&temp_sockaddr_in, + retval = getpeername(temp_sock_fd, + (struct sockaddr*)&temp_sockaddr_in, (void *)&addrlen); if (retval) { @@ -355,29 +355,29 @@ ProcessNewPMConnection ( } assert(temp_sockaddr_in.sin_family == AF_INET); - + /* * Do a configuration check. NOTE: we're not doing anything - * with the server_sockaddr_in argument + * with the server_sockaddr_in argument */ - if ((doConfigCheck(&temp_sockaddr_in, + if ((doConfigCheck(&temp_sockaddr_in, &server_sockaddr_in, config_info, PMGR, &rule_number)) == FAILURE) { /* - * close the PM connection - * + * close the PM connection + * */ (void) fprintf(stderr, "PM failed config check\n"); IceCloseConnection(new_ice_conn); return; } - /* + /* * you've started the connection process; allocate a buffer - * for this connection, then continue processing other fd's without + * for this connection, then continue processing other fd's without * blocking while waiting to read the coming PM data; [NOTE: * we use the fd of the connection socket as index into the * pm_conn_array; this saves us much troublesome linked-list @@ -396,7 +396,7 @@ ProcessNewPMConnection ( * each time you need it, but that's a pain) */ pm_conn_array[pm_idx]->fd = temp_sock_fd; - pm_conn_array[pm_idx]->ice_conn = new_ice_conn; + pm_conn_array[pm_idx]->ice_conn = new_ice_conn; /* * Set the readables select() to listen for a readable on this @@ -409,12 +409,12 @@ ProcessNewPMConnection ( *nfds = max(*nfds, temp_sock_fd + 1); /* - * this is where we initialize the current time and timeout on this + * this is where we initialize the current time and timeout on this * pm_connection object */ (void) gettimeofday(&time_val, &time_zone); - pm_conn_array[pm_idx]->creation_time = time_val.tv_sec; - pm_conn_array[pm_idx]->time_to_close = config_info->pm_data_timeout; + pm_conn_array[pm_idx]->creation_time = time_val.tv_sec; + pm_conn_array[pm_idx]->time_to_close = config_info->pm_data_timeout; } static void @@ -429,17 +429,17 @@ ProcessPMInput ( { case IceConnectPending: /* - * for some reason this connection still isn't ready for + * for some reason this connection still isn't ready for * reading, so return and try next readable */ - (void) IceProcessMessages(pm_conn_array[pm_idx]->ice_conn, + (void) IceProcessMessages(pm_conn_array[pm_idx]->ice_conn, NULL, NULL); break; case IceConnectAccepted: /* - * you're ready to read the PM data, allocate and send back - * your client listen port, etc., etc.; do this inside + * you're ready to read the PM data, allocate and send back + * your client listen port, etc., etc.; do this inside * FWPprocessMessages() by calling IceProcessMessages() * [NOTE: The NULL args set it up for non-blocking] */ @@ -451,7 +451,7 @@ ProcessPMInput ( case IceProcessMessagesSuccess: /* - * you read the server data, allocated a listen port + * you read the server data, allocated a listen port * for the remote client and wrote it back to the PM, * so you don't need to do anything more until PM * closes the connection (NOTE: Make sure we don't @@ -464,20 +464,20 @@ ProcessPMInput ( if (process_status == IceProcessMessagesIOError) /* - * there was a problem with the connection, close + * there was a problem with the connection, close * it explicitly */ IceCloseConnection(pm_conn_array[pm_idx]->ice_conn); else /* - * the connection somehow closed itself, so don't call + * the connection somehow closed itself, so don't call * IceCloseConnection */ ; - + /* - * reset the select() readables mask and nfds, free - * the buffer memory on this array element, reset the + * reset the select() readables mask and nfds, free + * the buffer memory on this array element, reset the * pointer to NULL and return */ FD_CLR(pm_conn_array[pm_idx]->fd, rinit); @@ -538,8 +538,8 @@ ProcessNewClientConnection ( int temp_sock_len = sizeof(temp_sockaddr_in); /* - * The first thing we do is accept() this connection and check it - * against configuration data to see whether its origination host + * The first thing we do is accept() this connection and check it + * against configuration data to see whether its origination host * is allowed; next, we connect to the server found in the lookup, * synthesize a proxy connection setup request to be sent * to that server to determine whether it`s a secure server; @@ -549,7 +549,7 @@ ProcessNewClientConnection ( */ if ((temp_sock_fd = accept(accept_fd, - (struct sockaddr *) &temp_sockaddr_in, + (struct sockaddr *) &temp_sockaddr_in, (void *)&temp_sock_len)) < 0) { (void) fprintf (stderr, "accept call for a client failed\n"); @@ -561,14 +561,14 @@ ProcessNewClientConnection ( * an error occurs, those functions will output an appropriate * message */ - if ((doServerConnectSetup(server_array[server_idx]->x_server_hostport, - &server_array[server_idx]->server_fd, + if ((doServerConnectSetup(server_array[server_idx]->x_server_hostport, + &server_array[server_idx]->server_fd, &server_sockaddr_in)) == FAILURE) { (void) close (temp_sock_fd); return; } - if ((doServerConnect(&server_array[server_idx]->server_fd, + if ((doServerConnect(&server_array[server_idx]->server_fd, &server_sockaddr_in)) == FAILURE) { (void) close (temp_sock_fd); @@ -581,17 +581,17 @@ ProcessNewClientConnection ( /* * do config check on client source and destination (must do * it here because otherwise we don't have a server socket - * to query and we may not be able to resolve server name - * alone from xfindproxy() + * to query and we may not be able to resolve server name + * alone from xfindproxy() */ - if ((doConfigCheck(&temp_sockaddr_in, + if ((doConfigCheck(&temp_sockaddr_in, &server_sockaddr_in, config_info, CLIENT, &rule_number)) == FAILURE) { /* - * log the client connection failure, close client and server + * log the client connection failure, close client and server * sockets and return */ doWriteLogEntry (inet_ntoa(temp_sockaddr_in.sin_addr), @@ -608,7 +608,7 @@ ProcessNewClientConnection ( * If configured authorization succeeds, go ahead and * allocate a client_conn_buf struct for client connection */ - if ((client_conn_array[temp_sock_fd] = (struct client_conn_buf *) + if ((client_conn_array[temp_sock_fd] = (struct client_conn_buf *) malloc(sizeof (struct client_conn_buf))) == NULL) { (void) fprintf (stderr, "malloc - client connection buffer\n"); @@ -621,21 +621,21 @@ ProcessNewClientConnection ( * the log data struct will go out of scope before we check the * server security extension or other loggable events) */ - client_conn_array[temp_sock_fd]->source = + client_conn_array[temp_sock_fd]->source = Malloc(strlen(inet_ntoa(temp_sockaddr_in.sin_addr)) + 1); - client_conn_array[temp_sock_fd]->destination = + client_conn_array[temp_sock_fd]->destination = Malloc(strlen(inet_ntoa(server_sockaddr_in.sin_addr)) + 1); - (void) strcpy(client_conn_array[temp_sock_fd]->source, + (void) strcpy(client_conn_array[temp_sock_fd]->source, inet_ntoa(temp_sockaddr_in.sin_addr)); - (void) strcpy(client_conn_array[temp_sock_fd]->destination, - inet_ntoa(server_sockaddr_in.sin_addr)); + (void) strcpy(client_conn_array[temp_sock_fd]->destination, + inet_ntoa(server_sockaddr_in.sin_addr)); /* - * allocate a buffer for the X server connection - * and create the association between client and server + * allocate a buffer for the X server connection + * and create the association between client and server */ - if ((client_conn_array[server_fd] = (struct client_conn_buf *) + if ((client_conn_array[server_fd] = (struct client_conn_buf *) malloc(sizeof (struct client_conn_buf))) == NULL) { (void) fprintf (stderr, "malloc - server connectioin buffer\n"); @@ -648,15 +648,15 @@ ProcessNewClientConnection ( /* * save this sock fd for future reference (in timeout computation) - */ + */ client_conn_array[temp_sock_fd]->fd = temp_sock_fd; /* - * mark this buffer as readable and writable and waiting for + * mark this buffer as readable and writable and waiting for * authentication to complete; mark the server conn buffer - * with a special state to make sure that its reply to + * with a special state to make sure that its reply to * the authentication request can be read and interpreted - * before it is simply forwarded to the client + * before it is simply forwarded to the client */ client_conn_array[temp_sock_fd]->state = CLIENT_WAITING; client_conn_array[server_fd]->state = SERVER_REPLY; @@ -670,19 +670,19 @@ ProcessNewClientConnection ( *nfds = max(*nfds, server_fd + 1); /* - * this is where we initialize the current time and timeout on this + * this is where we initialize the current time and timeout on this * client_data object */ gettimeofday(&time_val, &time_zone); client_conn_array[temp_sock_fd]->creation_time = time_val.tv_sec; - client_conn_array[temp_sock_fd]->time_to_close = + client_conn_array[temp_sock_fd]->time_to_close = config_info->client_data_timeout; /* * be sure the mark the server side of the association, too */ - client_conn_array[server_fd]->creation_time = time_val.tv_sec; - client_conn_array[server_fd]->time_to_close = + client_conn_array[server_fd]->creation_time = time_val.tv_sec; + client_conn_array[server_fd]->time_to_close = config_info->client_data_timeout; client_conn_array[server_fd]->fd = server_fd; @@ -693,7 +693,7 @@ ProcessClientWaiting ( fd_set * winit, int client_idx) { - char * conn_auth_name = "XC-QUERY-SECURITY-1"; + char * conn_auth_name = "XC-QUERY-SECURITY-1"; int conn_auth_namelen; int conn_auth_datalen; xConnClientPrefix client; @@ -708,7 +708,7 @@ ProcessClientWaiting ( * established connection, but we still haven't checked * authentication on this client from the associated * X-server. - * + * * Do the following: * * 1. create the authentication header @@ -744,7 +744,7 @@ ProcessClientWaiting ( client.nbytesAuthString = conn_auth_datalen; /* - * Put the authentication message into the appropriate + * Put the authentication message into the appropriate * client_conn_buf object * * compute required padding for name and data strings @@ -784,13 +784,13 @@ ProcessClientWaiting ( bzero(bufP, data_remainder); } - client_conn_array[idx]->wbytes = sizeof(client) + - conn_auth_namelen + name_remainder + + client_conn_array[idx]->wbytes = sizeof(client) + + conn_auth_namelen + name_remainder + conn_auth_datalen + data_remainder; /* * Mark this fd as selectable to force a write() operation - * of authentication request to server for this client + * of authentication request to server for this client */ FD_SET(client_conn_array[client_idx]->conn_to, winit); @@ -798,7 +798,7 @@ ProcessClientWaiting ( * Mark the connection SERVER_WAITING (so that we don't * read any more client data until the authentication * sequence is complete) - */ + */ client_conn_array[client_idx]->state = SERVER_WAITING; } @@ -810,7 +810,7 @@ ProcessConnectionReady ( int client_fd) { /* - * We've finished our authentication handshaking and are + * We've finished our authentication handshaking and are * forwarding data either from client to server or vice versa */ int bytes_read; @@ -833,7 +833,7 @@ ProcessConnectionReady ( /* * remote apparently closed the connection; * clear bits in the select() mask, reclaim conn_buffs and - * listen port + * listen port */ FD_CLR(client_fd, rinit); FD_CLR(client_fd, winit); @@ -856,7 +856,7 @@ ProcessConnectionReady ( * listen fd so that clients will not attempt to connect * on this fd. */ - RemoveFDFromServerListenArray (client_fd, + RemoveFDFromServerListenArray (client_fd, rinit, config_info->num_servers); @@ -867,7 +867,7 @@ ProcessConnectionReady ( } else if (bytes_read == 0) { /* - * make sure we don't try to read on this fd again + * make sure we don't try to read on this fd again */ FD_CLR(client_fd, rinit); FD_CLR(client_fd, winit); @@ -876,8 +876,8 @@ ProcessConnectionReady ( if (client_conn_array[client_fd]->conn_to != -1) { - /* - * mark this conn_fd fd ready to close + /* + * mark this conn_fd fd ready to close */ int idx = client_conn_array[client_fd]->conn_to; @@ -886,12 +886,12 @@ ProcessConnectionReady ( /* * but still force a last write on the conn_to connection - */ + */ FD_SET(client_conn_array[client_fd]->conn_to, winit); - } + } /* - * and mark this connection for no further activity + * and mark this connection for no further activity */ client_conn_array[client_fd]->rbytes = 0; client_conn_array[client_fd]->wbytes = 0; @@ -902,8 +902,8 @@ ProcessConnectionReady ( * listen fd so that clients will not attempt to connect * on this fd. */ - RemoveFDFromServerListenArray (client_fd, - rinit, + RemoveFDFromServerListenArray (client_fd, + rinit, config_info->num_servers); } else @@ -917,7 +917,7 @@ ProcessConnectionReady ( if (client_conn_array[client_fd]->conn_to != 0) doCopyFromTo(client_fd, client_conn_array[client_fd]->conn_to, - rinit, + rinit, winit); /* @@ -931,7 +931,7 @@ ProcessConnectionReady ( * don't allow any more reading until that's done */ FD_CLR(client_fd, rinit); - } + } } } } @@ -956,17 +956,17 @@ ProcessServerReply ( { /* * read the server reply to the authentication request - */ + */ (void) read(client_fd, client_conn_array[client_fd]->readbuf + - client_conn_array[client_fd]->rbytes, + client_conn_array[client_fd]->rbytes, RWBUFFER_SIZE - client_conn_array[client_fd]->rbytes); switch ((BYTE) client_conn_array[client_fd]->readbuf[0]) { case SERVER_REPLY_FAILURE: #ifdef DEBUG - { + { char * replyP = client_conn_array[client_fd]->readbuf; int reasonLength = *++replyP; @@ -977,12 +977,12 @@ ProcessServerReply ( /* FALL-THROUGH */ #endif case SERVER_REPLY_SUCCESS: - /* - * two possibilities here: either the policy field + /* + * two possibilities here: either the policy field * passed to the server is unauthorized, or the server * does not support the security extension; in both cases * we read the client fd then synthesize a response - * which we forward to the client before closing the + * which we forward to the client before closing the * connection */ (void) read(client_conn_array[client_fd]->conn_to, @@ -991,7 +991,7 @@ ProcessServerReply ( * construct the client response */ prefix.success = 0; - prefix.lengthReason = server_reason_len = + prefix.lengthReason = server_reason_len = strlen(server_reason [(int) client_conn_array[client_fd]->readbuf[0]]); prefix.majorVersion = X_PROTOCOL; @@ -1008,19 +1008,19 @@ ProcessServerReply ( /* * allocate the padded buffer */ - if ((server_reason_padded = - (char *) malloc (server_reason_len + + if ((server_reason_padded = + (char *) malloc (server_reason_len + server_reason_remainder)) == NULL) { (void) fprintf (stderr, "malloc - server reason\n"); return; - } + } /* * calculate the "additional data" field */ prefix.length = (server_reason_len + server_reason_remainder) / - four; + four; /* * compare client and xfwp byte ordering and swap prefix fields @@ -1034,41 +1034,41 @@ ProcessServerReply ( * client and xfwp are different byte order * so swap all fwp 2-byte fields to little endian */ - swab((char *) &prefix.majorVersion, - (char *) &prefix.majorVersion, + swab((char *) &prefix.majorVersion, + (char *) &prefix.majorVersion, sizeof(prefix.majorVersion)); - swab((char *) &prefix.minorVersion, - (char *) &prefix.minorVersion, + swab((char *) &prefix.minorVersion, + (char *) &prefix.minorVersion, sizeof(prefix.minorVersion)); - swab((char *) &prefix.length, - (char *) &prefix.length, + swab((char *) &prefix.length, + (char *) &prefix.length, sizeof(prefix.length)); } /* * load the padded reason */ - bzero((char *) server_reason_padded, + bzero((char *) server_reason_padded, server_reason_len + server_reason_remainder); - memcpy((char *) server_reason_padded, + memcpy((char *) server_reason_padded, (char *) server_reason [(int) client_conn_array[client_fd]->readbuf[0]], server_reason_len); /* * load the complete synthesized server reply (which will * be sent to the client next time the writables are - * processed (again, to avoid blocking) + * processed (again, to avoid blocking) */ - memcpy((char *) client_conn_array[client_fd]->readbuf, - (char *) &prefix, + memcpy((char *) client_conn_array[client_fd]->readbuf, + (char *) &prefix, sizeof(prefix)); - memcpy((char *) client_conn_array[client_fd]->readbuf + + memcpy((char *) client_conn_array[client_fd]->readbuf + sizeof(prefix), - (char *) server_reason_padded, + (char *) server_reason_padded, server_reason_len + server_reason_remainder); - client_conn_array[client_fd]->rbytes = sizeof(prefix) + + client_conn_array[client_fd]->rbytes = sizeof(prefix) + server_reason_len + server_reason_remainder; /* @@ -1092,7 +1092,7 @@ ProcessServerReply ( /* * output a trace message */ - if (((int) client_conn_array[client_fd]->readbuf[0]) == + if (((int) client_conn_array[client_fd]->readbuf[0]) == SERVER_REPLY_SUCCESS) (void) fprintf (stderr, "Server replied SUCCESS\n"); #endif @@ -1107,7 +1107,7 @@ ProcessServerReply ( -1, config_info); break; - + case SERVER_REPLY_AUTHENTICATE: /* * the server supports the security extension; begin @@ -1129,7 +1129,7 @@ ProcessServerReply ( break; default: - (void) fprintf (stderr, "unknown reply from server\n"); + (void) fprintf (stderr, "unknown reply from server\n"); } } } @@ -1138,7 +1138,7 @@ static void doProcessReadables( int fd_counter, int * nfds, - fd_set * rinit, + fd_set * rinit, fd_set * winit, int pm_listen_array[], struct config * config_info, @@ -1151,7 +1151,7 @@ doProcessReadables( */ for (i = 0; i < config_info->num_pm_listen_ports; i++) { - if (pm_listen_array[i] == fd_counter) + if (pm_listen_array[i] == fd_counter) { if (!pm_conn_array[fd_counter]) { @@ -1172,7 +1172,7 @@ doProcessReadables( /* * If this is an already-accepted PM connection, call * IceProcessMessages() to invoke the FWPprocessMessages - * callback + * callback */ for (i = 0; i < config_info->num_pm_conns; i++) { @@ -1225,14 +1225,14 @@ doProcessReadables( switch (client_conn_array[fd_counter]->state) { case CLIENT_WAITING: - ProcessClientWaiting (winit, + ProcessClientWaiting (winit, fd_counter); break; case CONNECTION_READY: - ProcessConnectionReady (rinit, - winit, - config_info, + ProcessConnectionReady (rinit, + winit, + config_info, fd_counter); break; @@ -1244,9 +1244,9 @@ doProcessReadables( break; case SERVER_REPLY: - ProcessServerReply (rinit, - winit, - config_info, + ProcessServerReply (rinit, + winit, + config_info, fd_counter); break; @@ -1261,10 +1261,10 @@ doProcessReadables( void doProcessSelect( int * nfds, - int * nready, - fd_set * readable, + int * nready, + fd_set * readable, fd_set * writable, - fd_set * rinit, + fd_set * rinit, fd_set * winit, int pm_listen_array[], struct config * config_info, @@ -1285,9 +1285,9 @@ doProcessSelect( /* * Decrement the list of read/write ready connections */ - *nready -= 1; - doProcessWritables (fd_counter, - rinit, + *nready -= 1; + doProcessWritables (fd_counter, + rinit, winit); } @@ -1299,13 +1299,13 @@ doProcessSelect( /* * Decrement the list of read/write ready connections */ - *nready -= 1; - doProcessReadables (fd_counter, - nfds, - rinit, - winit, - pm_listen_array, - config_info, + *nready -= 1; + doProcessReadables (fd_counter, + nfds, + rinit, + winit, + pm_listen_array, + config_info, listen_objects); } } @@ -1,7 +1,7 @@ /* $Xorg: io.h,v 1.4 2001/02/09 02:05:45 xorgcvs Exp $ */ /* -Copyright "1986-1997, 1998 The Open Group +Copyright "1986-1997, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that @@ -50,9 +50,9 @@ static Bool HaveSitePolicy = 0; /*ARGSUSED*/ -static void +static void BadSyntax( - char *msg, + char *msg, int line) { #ifdef DEBUG @@ -60,27 +60,27 @@ BadSyntax( #endif } -static void +static void Usage(void) { - (void) fprintf (stderr, "Usage: xfwp [-pdt <#secs>] [-clt <#secs>] \\\n"); - (void) fprintf (stderr, + (void) fprintf (stderr, "Usage: xfwp [-pdt <#secs>] [-clt <#secs>] \\\n"); + (void) fprintf (stderr, "\t[-cdt <#secs>] [-pmport <port#>] [-config <path>]\\\n"); - (void) fprintf (stderr, + (void) fprintf (stderr, "\t[-logfile <path>] [-loglevel <0|1>] [-verify]\n"); exit (0); } -static void +static void MallocFailed(void) { (void) fprintf(stderr, "Memory allocation failed, exiting\n"); exit(1); } -static char* +static char* Realloc( - char *p, + char *p, int s) { if (!p) @@ -94,16 +94,16 @@ Realloc( return p; } -static void +static void BadMalloc( int line) { (void) fprintf(stderr, "Error: memory exhaused at line %d\n", line); } -static void +static void doPrintEval( - struct config * config_info, + struct config * config_info, int line_counter) { struct config_line *ruleP = config_info->config_file_data[line_counter]; @@ -113,9 +113,9 @@ doPrintEval( (void) fprintf(stderr,"matched: %s %s %s %s %s %s %s\n", (ruleP->permit_deny) ? ruleP->permit_deny : "", - (ruleP->source_hostname) ? ruleP->source_hostname : "", + (ruleP->source_hostname) ? ruleP->source_hostname : "", (ruleP->source_netmask) ? ruleP->source_netmask : "", - (ruleP->dest_hostname) ? ruleP->dest_hostname : "", + (ruleP->dest_hostname) ? ruleP->dest_hostname : "", (ruleP->dest_netmask) ? ruleP->dest_netmask : "", (ruleP->operator) ? ruleP->operator : "", (ruleP->service) ? ruleP->service : ""); @@ -123,7 +123,7 @@ doPrintEval( static Bool doConfigRequireDisallow( - int line, + int line, char* result) { Bool permit = (strcmp("require", result) == 0); @@ -179,7 +179,7 @@ doConfigRequireDisallow( return False; } -static int +static int doVerifyHostMaskToken( char token[]) { @@ -200,12 +200,12 @@ doVerifyHostMaskToken( token = result; } if ((delimiter_count < 3) || (delimiter_count > 3)) - return 0; + return 0; else return 1; } -static int +static int doInitNewRule( struct config *config_info) { @@ -217,14 +217,14 @@ doInitNewRule( if ((config_info->config_file_data = (struct config_line**) Realloc((char*)config_info->config_file_data, (config_info->lines_allocated += ADD_LINES) * - sizeof(struct config_line *))) == NULL) + sizeof(struct config_line *))) == NULL) { (void) fprintf (stderr, "realloc - config_file_data\n"); return -1; } } - - if ((config_lineP = (struct config_line *) + + if ((config_lineP = (struct config_line *) Malloc (sizeof(struct config_line))) == NULL) { (void) fprintf (stderr, "malloc - config_lineP\n"); @@ -241,7 +241,7 @@ doInitNewRule( config_lineP->dest_netmask = NULL; config_lineP->dest_net = 0; config_lineP->operator = NULL; - config_lineP->service = NULL; + config_lineP->service = NULL; config_info->config_file_data[rule_number] = config_lineP; @@ -250,22 +250,22 @@ doInitNewRule( static int doConfigPermitDeny( - struct config *config_info, + struct config *config_info, char *result) { struct config_line ** config_file_data; int line_number; int bad_token = 0; - /* - * caution; config_info->config_file_data can move in doInitNewRule + /* + * caution; config_info->config_file_data can move in doInitNewRule */ if ((line_number = doInitNewRule(config_info)) == -1) return 1; config_file_data = config_info->config_file_data; - if ((config_file_data[line_number]->permit_deny = + if ((config_file_data[line_number]->permit_deny = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (permit/deny keyword)\n"); @@ -274,8 +274,8 @@ doConfigPermitDeny( strcpy(config_file_data[line_number]->permit_deny, result); #ifdef DEBUG - (void) fprintf(stderr, - "first token = %s\n", + (void) fprintf(stderr, + "first token = %s\n", config_file_data[line_number]->permit_deny); #endif @@ -289,7 +289,7 @@ doConfigPermitDeny( if (doVerifyHostMaskToken(token)) { - if ((config_file_data[line_number]->source_hostname = + if ((config_file_data[line_number]->source_hostname = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (source host)\n"); @@ -297,14 +297,14 @@ doConfigPermitDeny( } strcpy(config_file_data[line_number]->source_hostname, result); #ifdef DEBUG - (void) fprintf(stderr, - "second token = %s\n", + (void) fprintf(stderr, + "second token = %s\n", config_file_data[line_number]->source_hostname); #endif /* * generate network address format */ - config_file_data[line_number]->source_host = + config_file_data[line_number]->source_host = inet_addr(config_file_data[line_number]->source_hostname); } else bad_token = 1; @@ -320,7 +320,7 @@ doConfigPermitDeny( if (doVerifyHostMaskToken(token)) { - if ((config_file_data[line_number]->source_netmask = + if ((config_file_data[line_number]->source_netmask = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (source netmask)\n"); @@ -328,11 +328,11 @@ doConfigPermitDeny( } strcpy(config_file_data[line_number]->source_netmask, result); #ifdef DEBUG - (void) fprintf(stderr, - "third token = %s\n", + (void) fprintf(stderr, + "third token = %s\n", config_file_data[line_number]->source_netmask); #endif - config_file_data[line_number]->source_net = + config_file_data[line_number]->source_net = inet_addr(config_file_data[line_number]->source_netmask); } else bad_token = 1; @@ -348,7 +348,7 @@ doConfigPermitDeny( if (doVerifyHostMaskToken(token)) { - if ((config_file_data[line_number]->dest_hostname = + if ((config_file_data[line_number]->dest_hostname = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (destination host)\n"); @@ -356,11 +356,11 @@ doConfigPermitDeny( } strcpy(config_file_data[line_number]->dest_hostname, result); #ifdef DEBUG - (void) fprintf(stderr, - "fourth token = %s\n", + (void) fprintf(stderr, + "fourth token = %s\n", config_file_data[line_number]->dest_hostname); #endif - config_file_data[line_number]->dest_host = + config_file_data[line_number]->dest_host = inet_addr(config_file_data[line_number]->dest_hostname); } else bad_token = 1; @@ -376,7 +376,7 @@ doConfigPermitDeny( if (doVerifyHostMaskToken(token)) { - if ((config_file_data[line_number]->dest_netmask = + if ((config_file_data[line_number]->dest_netmask = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (destination mask)\n"); @@ -384,11 +384,11 @@ doConfigPermitDeny( } strcpy(config_file_data[line_number]->dest_netmask, result); #ifdef DEBUG - (void) fprintf(stderr, - "fifth token = %s\n", + (void) fprintf(stderr, + "fifth token = %s\n", config_file_data[line_number]->dest_netmask); #endif - config_file_data[line_number]->dest_net = + config_file_data[line_number]->dest_net = inet_addr(config_file_data[line_number]->dest_netmask); } else bad_token = 1; @@ -401,7 +401,7 @@ doConfigPermitDeny( { if (!strcmp("eq", result)) { - if ((config_file_data[line_number]->operator = + if ((config_file_data[line_number]->operator = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (op)\n"); @@ -409,8 +409,8 @@ doConfigPermitDeny( } strcpy(config_file_data[line_number]->operator, result); #ifdef DEBUG - (void) fprintf(stderr, - "sixth token = %s\n", + (void) fprintf(stderr, + "sixth token = %s\n", config_file_data[line_number]->operator); #endif } else @@ -422,11 +422,11 @@ doConfigPermitDeny( */ if ((result = strtok(NULL, SEPARATOR1)) != NULL) { - if (!(strncmp("pm", result, 2)) || + if (!(strncmp("pm", result, 2)) || (!strncmp("fp", result, 2)) || - (!strncmp("cd", result, 2))) + (!strncmp("cd", result, 2))) { - if ((config_file_data[line_number]->service = + if ((config_file_data[line_number]->service = (char *) malloc (strlen(result) + 1)) == NULL) { (void) fprintf(stderr, "malloc - config rule (service)\n"); @@ -434,8 +434,8 @@ doConfigPermitDeny( } strcpy(config_file_data[line_number]->service, result); #ifdef DEBUG - (void) fprintf(stderr, - "seventh token = %s\n", + (void) fprintf(stderr, + "seventh token = %s\n", config_file_data[line_number]->service); #endif /* @@ -445,7 +445,7 @@ doConfigPermitDeny( config_file_data[line_number]->service_id = PMGR; else if (!strncmp(config_file_data[line_number]->service, "fp", 2)) config_file_data[line_number]->service_id = FINDPROXY; - else + else if (!strncmp(config_file_data[line_number]->service, "cd", 2)) config_file_data[line_number]->service_id = CLIENT; } else @@ -457,13 +457,13 @@ doConfigPermitDeny( */ if (bad_token || (config_file_data[line_number]->permit_deny == NULL) || - ((config_file_data[line_number]->permit_deny != NULL) && + ((config_file_data[line_number]->permit_deny != NULL) && (config_file_data[line_number]->source_hostname == NULL)) || - ((config_file_data[line_number]->source_hostname != NULL) && - (config_file_data[line_number]->source_netmask == NULL)) || - ((config_file_data[line_number]->dest_hostname != NULL) && - (config_file_data[line_number]->dest_netmask == NULL)) || - ((config_file_data[line_number]->operator != NULL) && + ((config_file_data[line_number]->source_hostname != NULL) && + (config_file_data[line_number]->source_netmask == NULL)) || + ((config_file_data[line_number]->dest_hostname != NULL) && + (config_file_data[line_number]->dest_netmask == NULL)) || + ((config_file_data[line_number]->operator != NULL) && (config_file_data[line_number]->service == NULL))) return 1; @@ -471,7 +471,7 @@ doConfigPermitDeny( return 0; } -static int +static int doProcessLine( char *line, struct config *config_info, @@ -506,7 +506,7 @@ doProcessLine( /* * Public functions */ -char* +char* Malloc( int s) { @@ -515,10 +515,10 @@ Malloc( if (!p) MallocFailed(); - return p; + return p; } -int +int doConfigCheck( struct sockaddr_in * source_sockaddr_in, struct sockaddr_in * dest_sockaddr_in, @@ -531,12 +531,12 @@ doConfigCheck( /* * look through the config file parse tree for a source IP address * that matches this request - */ + */ for (line_counter = 0; line_counter < config_info->rule_count; line_counter++) { if (config_info->config_file_data[line_counter] != NULL) { - if ((source_sockaddr_in->sin_addr.s_addr & + if ((source_sockaddr_in->sin_addr.s_addr & (~(config_info->config_file_data[line_counter]->source_net))) == config_info->config_file_data[line_counter]->source_host) { @@ -556,12 +556,12 @@ doConfigCheck( /* * compute destination info restrictions */ - if ((dest_sockaddr_in->sin_addr.s_addr & + if ((dest_sockaddr_in->sin_addr.s_addr & (~(config_info->config_file_data[line_counter]->dest_net))) == config_info->config_file_data[line_counter]->dest_host) { /* - * you got a match on the destination, so look at + * you got a match on the destination, so look at * the operator and service fields to see if the "permit" * might be specific to one particular connection-type only */ @@ -571,24 +571,24 @@ doConfigCheck( * there *is* a service id; see if it matches our current * config check request */ - if (config_info->config_file_data[line_counter]->service_id == + if (config_info->config_file_data[line_counter]->service_id == context) { - doPrintEval(config_info, line_counter); + doPrintEval(config_info, line_counter); /* - * if you are permitting, there's no rule match to log + * if you are permitting, there's no rule match to log */ *rule_number = line_counter + 1; return 1; } else /* - * we didn't get a match on context; this "permit" doesn't - * apply to the current request; so keep trying + * we didn't get a match on context; this "permit" doesn't + * apply to the current request; so keep trying */ continue; - } else + } else /* - * there's no service qualifier; permit the connection + * there's no service qualifier; permit the connection */ doPrintEval(config_info, line_counter); *rule_number = line_counter + 1; @@ -601,7 +601,7 @@ doConfigCheck( } else if ((config_info-> config_file_data[line_counter]->dest_hostname) && (context == PMGR)) - { + { /* * skip the destination address check and test for * the operator and service_id @@ -610,9 +610,9 @@ doConfigCheck( { /* * there *is* a service id; see if it matches our current - * config check context + * config check context */ - if (config_info->config_file_data[line_counter]->service_id + if (config_info->config_file_data[line_counter]->service_id == context) { doPrintEval(config_info, line_counter); @@ -623,13 +623,13 @@ doConfigCheck( } else /* * we didn't get a match on context; this "permit" doesn't - * apply to the current client request; so keep trying + * apply to the current client request; so keep trying */ continue; - } else - { + } else + { /* - * there's no service qualifier; permit the connection + * there's no service qualifier; permit the connection */ doPrintEval(config_info, line_counter); *rule_number = line_counter + 1; @@ -657,7 +657,7 @@ doConfigCheck( /* * compute destination info restrictions */ - if ((dest_sockaddr_in->sin_addr.s_addr & + if ((dest_sockaddr_in->sin_addr.s_addr & (~(config_info->config_file_data[line_counter]->dest_net))) == config_info->config_file_data[line_counter]->dest_host) { @@ -672,15 +672,15 @@ doConfigCheck( * there *is* a service id; see if it matches our current * config check request */ - if (config_info->config_file_data[line_counter]->service_id == + if (config_info->config_file_data[line_counter]->service_id == context) { /* * the match signifies an explicit denial of permission */ - doPrintEval(config_info, line_counter); + doPrintEval(config_info, line_counter); /* - * save the rule match number before returning + * save the rule match number before returning */ *rule_number = line_counter + 1; return 0; @@ -688,30 +688,30 @@ doConfigCheck( /* * we didn't get a match on the service id; the "deny" * operation doesn't apply to this connection, so keep - * trying + * trying */ continue; - } else + } else { /* - * there's no service qualifier; deny the connection + * there's no service qualifier; deny the connection */ - doPrintEval(config_info, line_counter); + doPrintEval(config_info, line_counter); /* - * save the rule match number before returning + * save the rule match number before returning */ *rule_number = line_counter + 1; return 0; - } + } } else /* - * the destination field doesn't match; keep trying + * the destination field doesn't match; keep trying */ continue; } else if ((config_info-> config_file_data[line_counter]->dest_hostname) && (context == PMGR)) - { + { /* * skip the destination address check and test for * the operator and service_id @@ -720,15 +720,15 @@ doConfigCheck( { /* * there *is* a service id; see if it matches our current - * config check context + * config check context */ - if (config_info->config_file_data[line_counter]->service_id == + if (config_info->config_file_data[line_counter]->service_id == context) { /* * this is a request to explicitly deny service, so do it */ - doPrintEval(config_info, line_counter); + doPrintEval(config_info, line_counter); /* * not logging PM events, but if we were, save rule match here */ @@ -736,15 +736,15 @@ doConfigCheck( } else /* * we didn't get a match on context; this "deny" doesn't - * apply to the current client request; so keep trying + * apply to the current client request; so keep trying */ continue; - } else + } else { /* - * there's no service qualifier; deny the connection + * there's no service qualifier; deny the connection */ - doPrintEval(config_info, line_counter); + doPrintEval(config_info, line_counter); /* * if we were logging PM events ... */ @@ -755,12 +755,12 @@ doConfigCheck( /* * there's no destination specified; deny the connection */ - doPrintEval(config_info, line_counter); + doPrintEval(config_info, line_counter); /* * save rule match */ *rule_number = line_counter + 1; - return 0; + return 0; } } /* end else deny */ } /* end if match on source */ @@ -774,7 +774,7 @@ doConfigCheck( if (config_info->config_file_path == NULL) { if (printConfigVerify) - (void) fprintf(stderr, + (void) fprintf(stderr, "matched default permit 0.0.0.0 255.255.255.255\n"); /* * there's no rule match to save @@ -801,14 +801,14 @@ doConfigCheck( (void) fprintf(stderr, "matched default deny 0.0.0.0 255.255.255.255\n"); /* - * not in this case either + * not in this case either */ *rule_number = -1; return 0; } -void +void doCheckTimeouts( struct config * config_info, int * nfds_ready, @@ -820,20 +820,20 @@ doCheckTimeouts( int client_data_counter; int client_listen_counter; int pm_conn_counter; - struct timeval current_time; + struct timeval current_time; struct timezone current_zone; /* * get current time */ - gettimeofday(¤t_time, ¤t_zone); + gettimeofday(¤t_time, ¤t_zone); /* - * start with the clients; we have to do them all, because a + * start with the clients; we have to do them all, because a * timeout may occur even if the object's fd is not currently * readable or writable */ - for (client_data_counter = 0; + for (client_data_counter = 0; client_data_counter < config_info->num_client_conns; client_data_counter++) { @@ -842,21 +842,21 @@ doCheckTimeouts( /* * do the shutdown time computation */ - if ((current_time.tv_sec - - client_conn_array[client_data_counter]->creation_time) + if ((current_time.tv_sec + - client_conn_array[client_data_counter]->creation_time) > client_conn_array[client_data_counter]->time_to_close) { /* * time to shut this client conn down; we're not going to be graceful - * about it, either; we're just going to clear the select() masks for + * about it, either; we're just going to clear the select() masks for * the relevant file descriptors, close these fd's and deallocate - * the connection objects (for both client and server), and finally + * the connection objects (for both client and server), and finally * adjust the select() return params as necessary */ FD_CLR(client_conn_array[client_data_counter]->fd, rinit); FD_CLR(client_conn_array[client_data_counter]->fd, winit); FD_CLR(client_conn_array[client_data_counter]->conn_to, rinit); - FD_CLR(client_conn_array[client_data_counter]->conn_to, winit); + FD_CLR(client_conn_array[client_data_counter]->conn_to, winit); close(client_conn_array[client_data_counter]->fd); close(client_conn_array[client_data_counter]->conn_to); free(client_conn_array[client_conn_array[client_data_counter]->conn_to]); @@ -865,12 +865,12 @@ doCheckTimeouts( if (client_conn_array[client_data_counter]->destination) free(client_conn_array[client_data_counter]->destination); free(client_conn_array[client_data_counter]); - client_conn_array[client_conn_array[client_data_counter]->conn_to] = + client_conn_array[client_conn_array[client_data_counter]->conn_to] = NULL; - client_conn_array[client_data_counter] = NULL; + client_conn_array[client_data_counter] = NULL; /* * the nfds_ready value is tricky, because we're not sure if we got - * a readable or writable on the associated connection for this + * a readable or writable on the associated connection for this * iteration through select(); we'll decrement it one instead of two, * but it really doesn't matter either way given the logic of the * process readables and writables code @@ -880,48 +880,48 @@ doCheckTimeouts( * if you just shut this connection object down, you don't want * to reset its creation date to now, so go to the next one */ - continue; + continue; } /* * recompute select() timeout to maximize blocking time without * preventing timeout checking */ - config_info->select_timeout.tv_sec = + config_info->select_timeout.tv_sec = min(config_info->select_timeout.tv_sec, client_conn_array[client_data_counter]->time_to_close - - (current_time.tv_sec - + (current_time.tv_sec - client_conn_array[client_data_counter]->creation_time)); /* * this wasn't a shutdown case, so check to see if there's activity - * on the fd; if so, then reset the creation time field to now + * on the fd; if so, then reset the creation time field to now */ if (FD_ISSET(client_conn_array[client_data_counter]->fd, readable) || - FD_ISSET(client_conn_array[client_data_counter]->fd, writable)) - client_conn_array[client_data_counter]->creation_time = + FD_ISSET(client_conn_array[client_data_counter]->fd, writable)) + client_conn_array[client_data_counter]->creation_time = current_time.tv_sec; /* * do the same thing with the conn_to connections, but only * if they haven't already been marked for closing */ if ((client_conn_array[client_data_counter]->conn_to) > 0) - { - - if ((FD_ISSET(client_conn_array[client_data_counter]->conn_to, - readable)) || - (FD_ISSET(client_conn_array[client_data_counter]->conn_to, + { + + if ((FD_ISSET(client_conn_array[client_data_counter]->conn_to, + readable)) || + (FD_ISSET(client_conn_array[client_data_counter]->conn_to, writable))) - client_conn_array[client_data_counter]->creation_time = + client_conn_array[client_data_counter]->creation_time = current_time.tv_sec; } } - } + } /* - * now do the client listen fds; as with the client data objects, + * now do the client listen fds; as with the client data objects, * we have to do them all, because a timeout may occur even if the * object's fd is not currently readable or writable */ - for (client_listen_counter = 0; + for (client_listen_counter = 0; client_listen_counter < config_info->num_servers; client_listen_counter++) { @@ -930,8 +930,8 @@ doCheckTimeouts( /* * do the shutdown time computation */ - if ((current_time.tv_sec - - server_array[client_listen_counter]->creation_time) + if ((current_time.tv_sec + - server_array[client_listen_counter]->creation_time) > server_array[client_listen_counter]->time_to_close) { /* @@ -945,40 +945,40 @@ doCheckTimeouts( FD_CLR(server_array[client_listen_counter]->client_listen_fd, winit); close(server_array[client_listen_counter]->client_listen_fd); free(server_array[client_listen_counter]); - server_array[client_listen_counter] = NULL; + server_array[client_listen_counter] = NULL; (*nfds_ready)--; /* XXX */ /* * if you just shut this connection object down, you don't want * to reset its creation date to now, so go to the next one */ - continue; + continue; } /* * recompute select() timeout to maximize blocking time without * preventing timeout checking */ - config_info->select_timeout.tv_sec = + config_info->select_timeout.tv_sec = min(config_info->select_timeout.tv_sec, server_array[client_listen_counter]->time_to_close - - (current_time.tv_sec - + (current_time.tv_sec - server_array[client_listen_counter]->creation_time)); /* * this wasn't a shutdown case, so check to see if there's activity - * on the fd; if so, then reset the creation time field to now + * on the fd; if so, then reset the creation time field to now */ - if (FD_ISSET(server_array[client_listen_counter]->client_listen_fd, + if (FD_ISSET(server_array[client_listen_counter]->client_listen_fd, readable) || - FD_ISSET(server_array[client_listen_counter]->client_listen_fd, + FD_ISSET(server_array[client_listen_counter]->client_listen_fd, writable)) - server_array[client_listen_counter]->creation_time = + server_array[client_listen_counter]->creation_time = current_time.tv_sec; } - } + } /* * last of all the pm connection fds */ - for (pm_conn_counter = 0; + for (pm_conn_counter = 0; pm_conn_counter < config_info->num_pm_conns; pm_conn_counter++) { @@ -987,12 +987,12 @@ doCheckTimeouts( /* * do the shutdown time computation */ - if ((current_time.tv_sec - - pm_conn_array[pm_conn_counter]->creation_time) + if ((current_time.tv_sec + - pm_conn_array[pm_conn_counter]->creation_time) > pm_conn_array[pm_conn_counter]->time_to_close) { /* - * shut this connection down just like the others + * shut this connection down just like the others */ FD_CLR(pm_conn_array[pm_conn_counter]->fd, rinit); FD_CLR(pm_conn_array[pm_conn_counter]->fd, winit); @@ -1004,23 +1004,23 @@ doCheckTimeouts( * if you just shut this connection object down, you don't want * to reset its creation date to now, so go to the next one */ - continue; + continue; } /* * recompute select() timeout to maximize blocking time without * preventing timeout checking */ - config_info->select_timeout.tv_sec = + config_info->select_timeout.tv_sec = min(config_info->select_timeout.tv_sec, pm_conn_array[pm_conn_counter]->time_to_close - - (current_time.tv_sec - + (current_time.tv_sec - pm_conn_array[pm_conn_counter]->creation_time)); /* * this wasn't a shutdown case, so check to see if there's activity - * on the fd; if so, then reset the creation time field to now + * on the fd; if so, then reset the creation time field to now */ - if (FD_ISSET(pm_conn_array[pm_conn_counter]->fd, readable) || - FD_ISSET(pm_conn_array[pm_conn_counter]->fd, writable)) + if (FD_ISSET(pm_conn_array[pm_conn_counter]->fd, readable) || + FD_ISSET(pm_conn_array[pm_conn_counter]->fd, writable)) pm_conn_array[pm_conn_counter]->creation_time = current_time.tv_sec; } } @@ -1045,9 +1045,9 @@ doHandleConfigFile ( return 0; } - while (1) - { - if ((fgets(line, num_chars, stream)) == NULL) + while (1) + { + if ((fgets(line, num_chars, stream)) == NULL) { #ifdef DEBUG (void) fprintf(stderr, "Reading config file - got 0 bytes\n"); @@ -1068,7 +1068,7 @@ doHandleConfigFile ( (void) fclose(stream); return 0; } - } + } if (!feof(stream)) { @@ -1084,7 +1084,7 @@ doHandleConfigFile ( return 1; } -void +void doWriteLogEntry( char * source, char * destination, @@ -1094,7 +1094,7 @@ doWriteLogEntry( { FILE * stream; struct timezone current_zone; - struct timeval current_time; + struct timeval current_time; char * time_stamp; int time_length; @@ -1114,7 +1114,7 @@ doWriteLogEntry( if ((stream = fopen(config_info->log_file_path, "a")) == NULL) { - (void) fprintf(stderr, + (void) fprintf(stderr, "Failed to open log file '%s'\n", config_info->log_file_path); return; @@ -1122,9 +1122,9 @@ doWriteLogEntry( /* * generate time stamp for this event - */ - gettimeofday(¤t_time, ¤t_zone); - time_stamp = ctime((time_t *) ¤t_time.tv_sec); + */ + gettimeofday(¤t_time, ¤t_zone); + time_stamp = ctime((time_t *) ¤t_time.tv_sec); time_length = strlen(time_stamp); /* @@ -1138,35 +1138,35 @@ doWriteLogEntry( (source) ? source : "", (destination) ? destination : "", rule_number); - - (void) fclose(stream); + + (void) fclose(stream); } -void +void doCopyFromTo( - int fd_from, - int fd_to, + int fd_from, + int fd_to, fd_set * rinit, fd_set * winit) { int ncopy; - + if (client_conn_array[fd_from]->wbytes < RWBUFFER_SIZE) { /* * choose to write either how much you have (from->rbytes), * or how much you can hold (to->wbytes), whichever is - * smaller + * smaller */ ncopy = min(client_conn_array[fd_from]->rbytes, RWBUFFER_SIZE - client_conn_array[fd_to]->wbytes); /* * index into existing number bytes into the write buffer - * to get the start point for copying + * to get the start point for copying */ bcopy(client_conn_array[fd_from]->readbuf, - client_conn_array[fd_to]->writebuf + + client_conn_array[fd_to]->writebuf + client_conn_array[fd_to]->wbytes, ncopy); /* * Then up the to->wbytes counter @@ -1175,7 +1175,7 @@ doCopyFromTo( /* * something has to be done here with the select mask!! */ - FD_SET(fd_to, winit); + FD_SET(fd_to, winit); if (ncopy == client_conn_array[fd_from]->rbytes) client_conn_array[fd_from]->rbytes = 0; else @@ -1191,7 +1191,7 @@ doCopyFromTo( FD_SET(fd_to, rinit); } /* - * If there's no room in the fd_to write buffer, do nothing + * If there's no room in the fd_to write buffer, do nothing * this iteration (keep iterating on select() until something * gets written from this fd) */ @@ -1199,9 +1199,9 @@ doCopyFromTo( } -int +int doCheckServerList( - char * server_address, + char * server_address, char ** listen_port_string, int num_servers) { @@ -1209,8 +1209,8 @@ doCheckServerList( * this routine checks the server_address (provided by XFindProxy * and forwarded through the PM to the FWP) against the list of * servers to which connections have already been established; - * it does no format type checking or conversions! (i.e., network-id - * vs. hostname representations); if the string received is not an + * it does no format type checking or conversions! (i.e., network-id + * vs. hostname representations); if the string received is not an * exact match to one in the list, FWP will open a new connection * to the specified server, even though one may already exist under * a different name-format; all this is in a separate routine in @@ -1221,23 +1221,23 @@ doCheckServerList( for (list_counter = 0; list_counter < num_servers; list_counter++) { if (server_array[list_counter] != NULL) - { - if (!strcmp(server_array[list_counter]->x_server_hostport, + { + if (!strcmp(server_array[list_counter]->x_server_hostport, server_address)) { /* - * allocate and return the listen_port_string + * allocate and return the listen_port_string */ if ((*listen_port_string = (char *) malloc - (strlen(server_array[list_counter]->listen_port_string) + 1)) + (strlen(server_array[list_counter]->listen_port_string) + 1)) == NULL) { (void) fprintf(stderr, "malloc - listen_port_string\n"); return FAILURE; } - strcpy(*listen_port_string, + strcpy(*listen_port_string, server_array[list_counter]->listen_port_string); - return SUCCESS; + return SUCCESS; } } } @@ -1245,10 +1245,10 @@ doCheckServerList( } -void +void doProcessInputArgs ( - struct config * config_info, - int argc, + struct config * config_info, + int argc, char * argv[]) { int arg_counter; @@ -1265,10 +1265,10 @@ doProcessInputArgs ( config_info->config_file_data = NULL; config_info->config_file_path = NULL; config_info->log_file_path = NULL; - + /* - * initialize timeout for three port types; if a timeout for a - * particular port type (pmdata, clientlisten, clientdata) is + * initialize timeout for three port types; if a timeout for a + * particular port type (pmdata, clientlisten, clientdata) is * not specified explicitly, then it assumes the hard-coded * default value; initialize other command line options here * as well @@ -1281,7 +1281,7 @@ doProcessInputArgs ( { if (arg_counter + 1 == argc) { - break_flag = 1; + break_flag = 1; break; } config_info->pm_data_timeout = atoi(argv[arg_counter + 1]); @@ -1291,7 +1291,7 @@ doProcessInputArgs ( if (arg_counter + 1 == argc) { break_flag = 1; - break; + break; } config_info->client_listen_timeout = atoi(argv[arg_counter + 1]); } @@ -1300,7 +1300,7 @@ doProcessInputArgs ( if (arg_counter + 1 == argc) { break_flag = 1; - break; + break; } config_info->client_data_timeout = atoi(argv[arg_counter + 1]); } @@ -1308,13 +1308,13 @@ doProcessInputArgs ( { if (arg_counter + 1 == argc) { - break_flag = 1; + break_flag = 1; break; } if (atoi(argv[arg_counter + 1]) > 65536) { break_flag = 1; - break; + break; } config_info->pm_listen_port = Malloc(strlen(argv[arg_counter+1])+1); strcpy(config_info->pm_listen_port, argv[arg_counter + 1]); @@ -1323,7 +1323,7 @@ doProcessInputArgs ( { if (arg_counter + 1 == argc) { - break_flag = 1; + break_flag = 1; break; } config_info->num_pm_conns = atoi(argv[arg_counter + 1]); @@ -1332,7 +1332,7 @@ doProcessInputArgs ( { if (arg_counter + 1 == argc) { - break_flag = 1; + break_flag = 1; break; } config_info->num_servers = atoi(argv[arg_counter + 1]); @@ -1342,7 +1342,7 @@ doProcessInputArgs ( if (arg_counter + 1 == argc) { break_flag = 1; - break; + break; } config_info->config_file_path = Malloc(strlen(argv[arg_counter+1])+1); strcpy(config_info->config_file_path, argv[arg_counter + 1]); @@ -1366,7 +1366,7 @@ doProcessInputArgs ( if ((arg_counter + 1 == argc) || (atoi(argv[arg_counter + 1]) > 1)) { break_flag = 1; - break; + break; } config_info->log_level = atoi(argv[arg_counter + 1]); } @@ -1376,7 +1376,7 @@ doProcessInputArgs ( Usage(); } } - } + } if (break_flag) Usage(); @@ -1396,7 +1396,7 @@ doProcessInputArgs ( #endif #endif - client_conn_array = (struct client_conn_buf **) + client_conn_array = (struct client_conn_buf **) malloc (config_info->num_client_conns * sizeof (struct client_conn_buf *)); if (!client_conn_array) { @@ -1406,9 +1406,9 @@ doProcessInputArgs ( if (!config_info->num_pm_conns) config_info->num_pm_conns = MAX_PM_CONNS; - pm_conn_array = (struct pm_conn_buf **) + pm_conn_array = (struct pm_conn_buf **) malloc (config_info->num_client_conns * sizeof (struct pm_conn_buf *)); - if (!pm_conn_array) + if (!pm_conn_array) { (void) fprintf (stderr, "malloc - PM connection array\n"); exit (1); @@ -1443,7 +1443,7 @@ doProcessInputArgs ( int doInitDataStructs( - struct config * config_info, + struct config * config_info, struct ICE_setup_info * pm_conn_setup) { int i; @@ -1457,7 +1457,7 @@ doInitDataStructs( * them */ config_info->select_timeout.tv_usec = 0; - config_info->select_timeout.tv_sec = 180000; + config_info->select_timeout.tv_sec = 180000; /* * NULL the connection arrays @@ -1476,7 +1476,7 @@ doInitDataStructs( pm_conn_setup->versionCount = 1; pm_conn_setup->PMVersions->major_version = 1; pm_conn_setup->PMVersions->minor_version = 0; - pm_conn_setup->PMVersions->process_msg_proc = + pm_conn_setup->PMVersions->process_msg_proc = (IcePaProcessMsgProc) FWPprocessMessages; /* * Register for protocol setup @@ -1,7 +1,7 @@ /* $Xorg: misc.h,v 1.4 2001/02/09 02:05:45 xorgcvs Exp $ */ /* -Copyright "1986-1997, 1998 The Open Group +Copyright "1986-1997, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that @@ -51,19 +51,19 @@ X Window System is a trademark of The Open Group. #define SEPARATOR2 '.' -extern char* +extern char* Malloc( int s); -extern int +extern int doConfigCheck( struct sockaddr_in * source_sockaddr_in, struct sockaddr_in * dest_sockaddr_in, struct config * config_info, int context, int * rule_number); - -extern void + +extern void doCheckTimeouts( struct config * config_info, int * nfds_ready, @@ -76,7 +76,7 @@ extern int doHandleConfigFile ( struct config * config_info); -extern void +extern void doWriteLogEntry( char * source, char * destination, @@ -91,21 +91,21 @@ doCopyFromTo( fd_set * rinit, fd_set * winit); -extern int +extern int doCheckServerList( char * server_address, char ** listen_port_string, int num_servers); -extern void +extern void doProcessInputArgs( - struct config * config_info, - int argc, + struct config * config_info, + int argc, char * argv[]); -extern int +extern int doInitDataStructs( - struct config * config_info, + struct config * config_info, struct ICE_setup_info * PM_conn_setup); #endif /* _MISC_H */ @@ -1,7 +1,7 @@ /* $Xorg: pm.c,v 1.4 2001/02/09 02:05:45 xorgcvs Exp $ */ /* -Copyright "1986-1997, 1998 The Open Group +Copyright "1986-1997, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that @@ -68,14 +68,14 @@ X Window System is a trademark of The Open Group. #include "misc.h" void FWPprocessMessages( - IceConn iceConn, + IceConn iceConn, IcePointer * client_data, int opcode, unsigned long length, Bool swap) { switch (opcode) - { + { /* * this is really the only opcode we care about -- the one * which indicates an XFindProxy request for a connection @@ -89,7 +89,7 @@ void FWPprocessMessages( char *hostAddress = NULL, *startOptions = NULL; char *authName = NULL, *authData = NULL; int authLen; - struct clientDataStruct * program_data; + struct clientDataStruct * program_data; char * listen_port_string; int pm_send_msg_len; pmGetProxyAddrReplyMsg * pReply; @@ -113,7 +113,7 @@ void FWPprocessMessages( #if 0 /* No-op */ /* * initial check on expected message size - */ + */ CHECK_AT_LEAST_SIZE (iceConn, global_data.major_opcode, opcode, length, SIZEOF (pmGetProxyAddrMsg), IceFatalToProtocol); #endif @@ -163,17 +163,17 @@ void FWPprocessMessages( memcpy (authData, pData, authLen); } #ifdef DEBUG - (void) fprintf (stderr, + (void) fprintf (stderr, "Got GetProxyAddr, serviceName = %s, serverAddr = %s\n", serviceName, serverAddress); - (void) fprintf (stderr, + (void) fprintf (stderr, "\thostAddr = %s, options = %s, authLen = %d\n", hostAddress, startOptions, authLen); if (authLen > 0) (void) fprintf (stderr, "\tauthName = %s\n", authName); #endif /* - * need to copy the host port string because strtok() changes it + * need to copy the host port string because strtok() changes it */ if ((tmp_str = strdup (serverAddress)) == NULL) { @@ -183,7 +183,7 @@ void FWPprocessMessages( /* * before proceeding we want to verify that we are allowed to - * accept connections from the host who called xfindproxy(); + * accept connections from the host who called xfindproxy(); * the thing is, we don't get that host name from Proxy Manager * even if the "-host <hostname>" command-line option was present * in xfindproxy (and even if it was we shouldn't rely on it -- @@ -200,37 +200,37 @@ void FWPprocessMessages( goto sendFailure; } memset(&server_sockaddr_in, 0, sizeof(server_sockaddr_in)); - memset(&dummy_sockaddr_in, 0, sizeof(dummy_sockaddr_in)); - memcpy((char *) &server_sockaddr_in.sin_addr, + memset(&dummy_sockaddr_in, 0, sizeof(dummy_sockaddr_in)); + memcpy((char *) &server_sockaddr_in.sin_addr, hostptr->h_addr, hostptr->h_length); /* * need to initialize dummy to something, but doesn't matter - * what (should eventually be the true host address); + * what (should eventually be the true host address); * NOTE: source configuration will always match (see XFWP man - * page) unless sysadmin explicitly chooses to deny + * page) unless sysadmin explicitly chooses to deny */ - memcpy((char *) &dummy_sockaddr_in.sin_addr, + memcpy((char *) &dummy_sockaddr_in.sin_addr, hostptr->h_addr, hostptr->h_length); - if ((doConfigCheck(&dummy_sockaddr_in, + if ((doConfigCheck(&dummy_sockaddr_in, &server_sockaddr_in, global_data.config_info, FINDPROXY, &rule_number)) == FAILURE) - { + { (void) fprintf(stderr, "xfindproxy failed config check\n"); sendFailure: /* * report failure back to the ProxyMgr - * + * */ pm_send_msg_len = STRING_BYTES(config_failure) + STRING_BYTES(""); - IceGetHeaderExtra(iceConn, - program_data->major_opcode, + IceGetHeaderExtra(iceConn, + program_data->major_opcode, PM_GetProxyAddrReply, SIZEOF(pmGetProxyAddrReplyMsg), WORD64COUNT (pm_send_msg_len), @@ -242,13 +242,13 @@ void FWPprocessMessages( STORE_STRING(pReplyData, config_failure); IceFlush(iceConn); free(tmp_str); - return; + return; } - /* + /* * okay, you got what you need from the PM to proceed, * so extract the fd of the selected connection and use - * it to set up the remote client listen port and add + * it to set up the remote client listen port and add * the name of the X server to your list of server connections */ @@ -270,14 +270,14 @@ void FWPprocessMessages( *colon = ':'; if (hostent && hostent->h_name) { - tmpAddress = (char *) malloc (strlen (hostent->h_name) + + tmpAddress = (char *) malloc (strlen (hostent->h_name) + strlen (colon) + 1); (void) sprintf (tmpAddress, "%s%s", hostent->h_name, colon); serverAddress = tmpAddress; } } - if ((doCheckServerList(serverAddress, + if ((doCheckServerList(serverAddress, &listen_port_string, program_data->config_info->num_servers)) == FAILURE) { @@ -298,15 +298,15 @@ void FWPprocessMessages( /* * the PM-sent server address *was* in your list, so send back - * the rem client listen port you had already associated with + * the rem client listen port you had already associated with * that server (it will presumably be forwarded to the remote * client through some other channel) - * use IceGetHeaderExtra() and the + * use IceGetHeaderExtra() and the */ pm_send_msg_len = STRING_BYTES(listen_port_string) + STRING_BYTES(""); - IceGetHeaderExtra(iceConn, - program_data->major_opcode, + IceGetHeaderExtra(iceConn, + program_data->major_opcode, PM_GetProxyAddrReply, SIZEOF(pmGetProxyAddrReplyMsg), WORD64COUNT (pm_send_msg_len), @@ -333,7 +333,7 @@ void FWPprocessMessages( iceErrorMsg *pMsg; char *pStart; - CHECK_AT_LEAST_SIZE (iceConn, global_data.major_opcode, ICE_Error, + CHECK_AT_LEAST_SIZE (iceConn, global_data.major_opcode, ICE_Error, length, sizeof(iceErrorMsg), IceFatalToProtocol); IceReadCompleteMessage (iceConn, SIZEOF (iceErrorMsg), @@ -376,11 +376,11 @@ FWPHostBasedAuthProc ( /* * don't worry about config for now * - * this routine gets called *after* IceAcceptConnection + * this routine gets called *after* IceAcceptConnection * is called but *before* that routine returns its status; - * it is therefore the logical place to check configuration + * it is therefore the logical place to check configuration * data on which PM connections (from which hosts) will be - * accepted; so do it and return either 0 to terminate + * accepted; so do it and return either 0 to terminate * connection (automatically informing PM) or 1 to proceed * * the PM host is not allowed; terminate connection and inform @@ -411,7 +411,7 @@ FWPprotocolSetupProc( * IceProcessMessages() */ struct clientDataStruct * client_data; - if ((client_data = (struct clientDataStruct *) + if ((client_data = (struct clientDataStruct *) malloc (sizeof (struct clientDataStruct))) == NULL) { (void) fprintf(stderr, "malloc - client data object\n"); @@ -421,7 +421,7 @@ FWPprotocolSetupProc( * setup the client data struct; we need this object in order to * avoid making these variables global so they can be accessed in the * ICE FWPprocessMessages() callback; now you see that our global_data - * struct was the only way of getting program data into the + * struct was the only way of getting program data into the * protocolReply setup routine! */ client_data->config_info = global_data.config_info; @@ -434,7 +434,7 @@ FWPprotocolSetupProc( return (1); } -int +int doSetupPMListen( char * pm_port, int * size_pm_listen_array, @@ -450,15 +450,15 @@ doSetupPMListen( /* * establish PM listeners - */ - if (!IceListenForWellKnownConnections(pm_port, + */ + if (!IceListenForWellKnownConnections(pm_port, &num_fds_returned, listen_objects, 256, errormsg)) { - (void) fprintf(stderr, "IceListenForWellKnowConnections error: %s\n", - errormsg); + (void) fprintf(stderr, "IceListenForWellKnowConnections error: %s\n", + errormsg); return 0; } @@ -474,23 +474,23 @@ doSetupPMListen( *size_pm_listen_array = num_fds_returned; /* - * obtain the PM listen fd's for the connection objects + * obtain the PM listen fd's for the connection objects */ for (fd_counter = 0; fd_counter < num_fds_returned; fd_counter++) { /* * get fd(s) for PM listen (could be more than one if different - * transport mechanisms) - */ + * transport mechanisms) + */ temp_obj = *listen_objects; IceSetHostBasedAuthProc(temp_obj[fd_counter], FWPHostBasedAuthProc); - (*pm_listen_array)[fd_counter] = + (*pm_listen_array)[fd_counter] = IceGetListenConnectionNumber(temp_obj[fd_counter]); /* - * set all read mask bits on which we are going to select(); + * set all read mask bits on which we are going to select(); * [NOTE: We don't care about write bits here because we don't - * use select() to manage writing to the PM] + * use select() to manage writing to the PM] */ FD_SET((*pm_listen_array)[fd_counter], rinit); @@ -532,7 +532,7 @@ MyIoErrorHandler ( (*prev_handler) (ice_conn); } -void +void doInstallIOErrorHandler (void) { IceIOErrorHandler default_handler; @@ -1,7 +1,7 @@ /* $Xorg: pm.h,v 1.4 2001/02/09 02:05:45 xorgcvs Exp $ */ /* -Copyright "1986-1997, 1998 The Open Group +Copyright "1986-1997, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that @@ -55,7 +55,7 @@ FWPprotocolSetupProc( IcePointer * clientDataRet, char ** failureReasonRet); -extern int +extern int doSetupPMListen( char * pm_port, int * size_pm_listen_array, @@ -64,7 +64,7 @@ doSetupPMListen( int * nfds, fd_set * rinit); -extern void +extern void doInstallIOErrorHandler (void); #endif /* _PM_H */ diff --git a/transport.c b/transport.c index e01ea08..479e893 100644 --- a/transport.c +++ b/transport.c @@ -1,7 +1,7 @@ /* $Xorg: transport.c,v 1.4 2001/02/09 02:05:45 xorgcvs Exp $ */ /* -Copyright "1986-1997, 1998 The Open Group +Copyright "1986-1997, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that @@ -46,7 +46,7 @@ X Window System is a trademark of The Open Group. #include "xfwp.h" #include "transport.h" -int +int doSetupRemClientListen( char ** listen_port_string, struct clientDataStruct * program_data, @@ -61,7 +61,7 @@ doSetupRemClientListen( struct timezone time_zone; int num_servers = program_data->config_info->num_servers; - /* + /* * ugh. This really shouldn't be kept as a sparse list but no time... */ for (this_server = 0; @@ -69,15 +69,15 @@ doSetupRemClientListen( this_server++); if (this_server == num_servers) { - (void) fprintf(stderr, + (void) fprintf(stderr, "Maximum number of server connections has been reached (%d)\n", program_data->config_info->num_servers); return FAILURE; } /* - * offset listen port into the X protocol range; - * must be > X_SERVER_PORT_BASE < 65535 + * offset listen port into the X protocol range; + * must be > X_SERVER_PORT_BASE < 65535 */ listen_port = this_server + X_SERVER_PORT_BASE + 1; @@ -93,8 +93,8 @@ doSetupRemClientListen( return FAILURE; } - if ((server_array[this_server]->client_listen_fd = - socket(AF_INET, SOCK_STREAM, 0)) < 0) + if ((server_array[this_server]->client_listen_fd = + socket(AF_INET, SOCK_STREAM, 0)) < 0) { (void) fprintf(stderr,"socket call failed\n"); free(server_array[this_server]); @@ -103,12 +103,12 @@ doSetupRemClientListen( } /* - * this is where we initialize the current time and timeout on this + * this is where we initialize the current time and timeout on this * client_listen object */ gettimeofday(&time_val, &time_zone); - server_array[this_server]->creation_time = time_val.tv_sec; - server_array[this_server]->time_to_close = + server_array[this_server]->creation_time = time_val.tv_sec; + server_array[this_server]->time_to_close = global_data.config_info->client_listen_timeout; /* @@ -123,7 +123,7 @@ doSetupRemClientListen( #ifdef SO_REUSEADDR if (setsockopt(server_array[this_server]->client_listen_fd, SOL_SOCKET, SO_REUSEADDR, - (char *) &one, sizeof(int)) < 0) + (char *) &one, sizeof(int)) < 0) { (void) fprintf(stderr, "setsockopt(SO_REUSEADDR) failed\n"); returnFailure: @@ -136,8 +136,8 @@ doSetupRemClientListen( while (True) { rem_sockaddr_in.sin_port = htons(listen_port); - if (bind(server_array[this_server]->client_listen_fd, - (struct sockaddr *)&rem_sockaddr_in, + if (bind(server_array[this_server]->client_listen_fd, + (struct sockaddr *)&rem_sockaddr_in, sizeof(rem_sockaddr_in)) == 0) break; if (errno != EADDRINUSE) @@ -148,8 +148,8 @@ doSetupRemClientListen( listen_port++; /* - * Cann't keep going forever. - * + * Cann't keep going forever. + * * Why 65535 - it's the same value used by the LBXProxy. */ if (listen_port > 65535) @@ -163,7 +163,7 @@ doSetupRemClientListen( (void) fprintf (stderr, "Client connect port: %d\n", listen_port); #endif - if (listen(server_array[this_server]->client_listen_fd, SOMAXCONN) < 0) + if (listen(server_array[this_server]->client_listen_fd, SOMAXCONN) < 0) { (void) fprintf(stderr, "listen call failed\n"); goto returnFailure; @@ -172,7 +172,7 @@ doSetupRemClientListen( /* * update the nfds */ - *(program_data->nfds) = max(*(program_data->nfds), + *(program_data->nfds) = max(*(program_data->nfds), server_array[this_server]->client_listen_fd + 1); /* @@ -186,16 +186,16 @@ doSetupRemClientListen( /* * allocate and convert the listen_port string for return to PM; - * string equals address of host on which FWP is running + * string equals address of host on which FWP is running * plus ":<listen_port - X_SERVER_PORT_BASE> (up to xxx)" */ - if (((*listen_port_string) = + if (((*listen_port_string) = (char *) malloc (strlen(hostname) + 10)) == NULL) { (void) fprintf(stderr, "malloc - proxy address\n"); goto returnFailure; } - (void) sprintf (*listen_port_string, "%s:%d", hostname, + (void) sprintf (*listen_port_string, "%s:%d", hostname, listen_port - X_SERVER_PORT_BASE); /* @@ -233,18 +233,18 @@ doSetupRemClientListen( return SUCCESS; } -void -doSelect(struct +void +doSelect(struct config * config_info, - int * nfds, - int * nready, - fd_set * readable, + int * nfds, + int * nready, + fd_set * readable, fd_set * writable) { - if ((*nready = select(*nfds, - readable, - writable, - NULL, + if ((*nready = select(*nfds, + readable, + writable, + NULL, &config_info->select_timeout)) == -1) { if (errno == EINTR) @@ -255,7 +255,7 @@ doSelect(struct } } -int +int doServerConnectSetup( char * x_server_hostport, int * server_connect_fd, @@ -270,7 +270,7 @@ doServerConnectSetup( char * tmp_hostport_str; /* - * need to copy the host port string because strtok() changes it + * need to copy the host port string because strtok() changes it */ if ((tmp_hostport_str = strdup (x_server_hostport)) == NULL) { @@ -284,7 +284,7 @@ doServerConnectSetup( tmp_str++; strcpy(server_port_base, tmp_str); server_name_base = strtok(tmp_hostport_str,":"); - server_port = atoi(server_port_base) + X_SERVER_PORT_BASE; + server_port = atoi(server_port_base) + X_SERVER_PORT_BASE; hostptr = gethostbyname(server_name_base); free(tmp_hostport_str); @@ -296,8 +296,8 @@ doServerConnectSetup( if ((*server_connect_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - (void) fprintf(stderr, "socket call for server failed: %s\n", - strerror(errno)); + (void) fprintf(stderr, "socket call for server failed: %s\n", + strerror(errno)); return FAILURE; } @@ -306,7 +306,7 @@ doServerConnectSetup( #ifdef BSD44SOCKETS server_sockaddr_in->sin_len = sizeof server_sockaddr_in; #endif - memcpy((char *) &server_sockaddr_in->sin_addr, + memcpy((char *) &server_sockaddr_in->sin_addr, hostptr->h_addr, hostptr->h_length); server_sockaddr_in->sin_port = htons(server_port); @@ -314,7 +314,7 @@ doServerConnectSetup( return SUCCESS; } -int +int doServerConnect( int * server_connect_fd, struct sockaddr_in * server_sockaddr_in) @@ -322,8 +322,8 @@ doServerConnect( if(connect(*server_connect_fd, (struct sockaddr * )server_sockaddr_in, sizeof(*server_sockaddr_in)) < 0) { - (void) fprintf(stderr, "connect call to server failed: %s\n", - strerror(errno)); + (void) fprintf(stderr, "connect call to server failed: %s\n", + strerror(errno)); return FAILURE; } return SUCCESS; diff --git a/transport.h b/transport.h index 99f3892..f17a811 100644 --- a/transport.h +++ b/transport.h @@ -1,7 +1,7 @@ /* $Xorg: transport.h,v 1.4 2001/02/09 02:05:45 xorgcvs Exp $ */ /* -Copyright "1986-1997, 1998 The Open Group +Copyright "1986-1997, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that @@ -48,7 +48,7 @@ doSetupRemClientListen( struct clientDataStruct * program_data, char * server_address); -extern void +extern void doSelect(struct config * config_info, int * nfds, @@ -56,7 +56,7 @@ doSelect(struct fd_set * readable, fd_set * writable); -extern int +extern int doServerConnectSetup( char * x_server_hostport, int * server_connect_fd, @@ -28,7 +28,7 @@ from The Open Group. #include <stdio.h> #include <stdlib.h> -#include <X11/Xos.h> +#include <X11/Xos.h> #include <netinet/in.h> #include <X11/ICE/ICElib.h> @@ -52,15 +52,15 @@ char **SitePolicies = NULL; /* list of site security policy strings */ int SitePolicyCount = 0; /* count of elements in SitePolicies */ -Bool SitePolicyPermit = 0; /* True := permit iff server supports +Bool SitePolicyPermit = 0; /* True := permit iff server supports * at least one listed policy, - * False := deny if server has any of + * False := deny if server has any of * the listed policies. */ -int +int main ( - int argc, + int argc, char * argv[]) { int * pm_listen_array; @@ -73,7 +73,7 @@ main ( /* * setup the global client data struct; we need to do this in order - * to access program data in the ICE FWPprocessMessages() callback + * to access program data in the ICE FWPprocessMessages() callback * without making everything global! See FWPprotocolSetupProc() for * the rest of what we are doing */ @@ -92,7 +92,7 @@ main ( if ((doHandleConfigFile(config_info)) == FAILURE) exit(1); - if ((doInitDataStructs(config_info, + if ((doInitDataStructs(config_info, &pm_conn_setup)) == FAILURE) exit(1); @@ -112,11 +112,11 @@ main ( /* * create listener socket(s) for PM connections */ - if (!doSetupPMListen(config_info->pm_listen_port, + if (!doSetupPMListen(config_info->pm_listen_port, &config_info->num_pm_listen_ports, - &pm_listen_array, - &listen_objects, - &nfds, + &pm_listen_array, + &listen_objects, + &nfds, &rinit)) exit(1); @@ -125,27 +125,27 @@ main ( readable = rinit; writable = winit; - doSelect (config_info, - &nfds, - &nready, - &readable, + doSelect (config_info, + &nfds, + &nready, + &readable, &writable); - doCheckTimeouts (config_info, - &nready, - &rinit, - &winit, - &readable, + doCheckTimeouts (config_info, + &nready, + &rinit, + &winit, + &readable, &writable); - doProcessSelect (&nfds, - &nready, - &readable, - &writable, - &rinit, - &winit, - pm_listen_array, - config_info, + doProcessSelect (&nfds, + &nready, + &readable, + &writable, + &rinit, + &winit, + pm_listen_array, + config_info, &listen_objects); - } + } } @@ -51,37 +51,37 @@ from The Open Group. #define RWBUFFER_SIZE 2048 enum CLIENT_CONN_STATE { - CLIENT_WAITING, - SERVER_WAITING, + CLIENT_WAITING, + SERVER_WAITING, SERVER_REPLY, CONNECTION_READY }; enum PM_CONN_STATE { - START, - WAIT_SERVER_INFO, - SENT_PORT_INFO, + START, + WAIT_SERVER_INFO, + SENT_PORT_INFO, PM_EXCHANGE_DONE }; enum CONFIG_CHECK { - FAILURE, + FAILURE, SUCCESS }; enum CONFIG_TYPE { - PM, + PM, REM_CLIENT }; enum LISTEN_STATE { - AVAILABLE, + AVAILABLE, IN_USE }; enum SERVICE_ID_TYPES { - CLIENT, - PMGR, + CLIENT, + PMGR, FINDPROXY }; @@ -98,7 +98,7 @@ typedef Bool fp2(); struct ICE_setup_info { - + int opcode; int versionCount; IcePaVersionRec PMVersions[1]; @@ -116,7 +116,7 @@ struct client_conn_buf int wbytes; int conn_to; int wclose; - int state; + int state; int time_to_close; int creation_time; int fd; @@ -128,7 +128,7 @@ struct pm_conn_buf { char readbuf[RWBUFFER_SIZE]; int rbytes; - int state; + int state; int fd; IceConn ice_conn; int creation_time; @@ -164,7 +164,7 @@ struct server_list int done_accept; int creation_time; int time_to_close; -}; +}; struct clientDataStruct { @@ -1,15 +1,15 @@ .\" $Xorg: xfwp.man,v 1.4 2001/02/09 02:05:46 xorgcvs Exp $ .\" Copyright 1996, 1998 The Open Group -.\" +.\" .\" Permission to use, copy, modify, distribute, and sell this software and its .\" documentation for any purpose is hereby granted without fee, provided that .\" the above copyright notice appear in all copies and that both that .\" copyright notice and this permission notice appear in supporting .\" documentation. -.\" +.\" .\" The above copyright notice and this permission notice shall be included .\" in all copies or substantial portions of the Software. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS .\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF .\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. @@ -17,12 +17,12 @@ .\" OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, .\" ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR .\" OTHER DEALINGS IN THE SOFTWARE. -.\" +.\" .\" Except as contained in this notice, the name of The Open Group shall .\" not be used in advertising or otherwise to promote the sale, use or .\" other dealings in this Software without prior written authorization .\" from The Open Group. -.\" +.\" .\" .\" $XFree86: xc/programs/xfwp/xfwp.man,v 1.7 2001/02/07 22:35:23 tsi Exp $ .\" @@ -34,25 +34,25 @@ xfwp - X firewall proxy .B xfwp [option ...] .PP -.SH COMMAND LINE OPTIONS +.SH COMMAND LINE OPTIONS The command line options that can be specified are: .PP .TP 8 .B \-cdt \fInum_secs\fP -Used to override the default time-to-close (604800 seconds) for xfwp client -data connections on which there is no activity (connections over which -X protocol is already being relayed by xfwp) +Used to override the default time-to-close (604800 seconds) for xfwp client +data connections on which there is no activity (connections over which +X protocol is already being relayed by xfwp) .PP .TP 8 .B \-clt \fInum_secs\fP -Used to override the default time-to-close (86400 seconds) for xfwp client -listen ports (ports on xfwp to which X clients first connect when trying to +Used to override the default time-to-close (86400 seconds) for xfwp client +listen ports (ports on xfwp to which X clients first connect when trying to reach an X server) .PP .TP 8 .B \-pdt \fInum_secs\fP -Used to override the default time-to-close (3600 seconds) for Proxy Manager -connections on which there is no activity +Used to override the default time-to-close (3600 seconds) for Proxy Manager +connections on which there is no activity .PP .TP 8 .B \-config \fIfile_name\fP @@ -71,18 +71,18 @@ each service request .B \-logfile \fIfile_name\fP Used to specify the name of a file where audit information should be logged. The format of a logged entry is: time of day; event code; source IP address; -destination IP address; and configuration rule number. The event codes -are: "0" for a successful connection; "1" if a connection is denied because of +destination IP address; and configuration rule number. The event codes +are: "0" for a successful connection; "1" if a connection is denied because of a configuration rule; and "2" if a connection is denied because of an authorization failure. If the event code is "1", and a configuration file -is used, the configuration rule number is the line number of the -configuration file where the match was made (see the section +is used, the configuration rule number is the line number of the +configuration file where the match was made (see the section CONFIGURATION FILE for more information). If the event code is not "1", or if no configuration file is used, the configuration rule number is "-1". .PP .TP 8 .B \-loglevel \fI{0,1}\fP -Used to specify the amount of audit detail that should be logged. If "0", +Used to specify the amount of audit detail that should be logged. If "0", all connections are logged. If "1", only unsuccessful connections are logged. .PP .TP 8 @@ -98,49 +98,49 @@ default is 100. .SH DESCRIPTION The X firewall proxy (xfwp) is an application layer gateway proxy that may be run on a network firewall host to forward X traffic -across the firewall. Used in conjunction with the X server Security +across the firewall. Used in conjunction with the X server Security extension and authorization checking, xfwp constitutes a safe, simple, and reliable mechanism both to hide the addresses of X servers located on the Intranet and to enforce a server connection policy. Xfwp cannot -protect against mischief originating on the Intranet; however, when +protect against mischief originating on the Intranet; however, when properly configured it can guarantee that only trusted clients originating -on authorized external Internet hosts will be allowed inbound access to -local X servers. +on authorized external Internet hosts will be allowed inbound access to +local X servers. To use xfwp there must be an X proxy manager running in the local environment -which has been configured at start-up to know the location of the xfwp. -[NOTE: There may be more than one xfwp running in a local environment; -see notes below on load balancing for further discussion.] Using the -xfindproxy utility (which relays its requests through the proxy manager) -a user asks xfwp to allocate a client listen port for a particular X server, -which is internally associated with all future connection requests for that +which has been configured at start-up to know the location of the xfwp. +[NOTE: There may be more than one xfwp running in a local environment; +see notes below on load balancing for further discussion.] Using the +xfindproxy utility (which relays its requests through the proxy manager) +a user asks xfwp to allocate a client listen port for a particular X server, +which is internally associated with all future connection requests for that server. This client listen port address is returned by the proxy manager -through xfindproxy. The xfwp hostname and port number is then passed -out-of-band (i.e., via a Web browser) to some remote X client, which will +through xfindproxy. The xfwp hostname and port number is then passed +out-of-band (i.e., via a Web browser) to some remote X client, which will subsequently connect to xfwp instead of to the target X server. - + When an X client connection request appears on one of xfwp's listen ports, -xfwp connects to the X server associated with this listen port and performs +xfwp connects to the X server associated with this listen port and performs authorization checks against the server as well as against its own configurable access control list for requesting clients. If these checks fail, or if -the requested server does not support the X Security Extension, the client -connection is refused. Otherwise, the connection is accepted and all ensuing -data between client and server is relayed by xfwp until the client terminates -the connection or, in the case of an inactive client, until a configured +the requested server does not support the X Security Extension, the client +connection is refused. Otherwise, the connection is accepted and all ensuing +data between client and server is relayed by xfwp until the client terminates +the connection or, in the case of an inactive client, until a configured timeout period is exceeded. Xfwp is designed to block while waiting for -activity on its connections, thereby minimizing demand for system cycles. +activity on its connections, thereby minimizing demand for system cycles. If xfwp is run without a configuration file and thus no sitepolicy is -defined, if xfwp is using an X server where xhost + has been run to turn -off host-based authorization checks, when a client tries to connect to -this X server via xfwp, the X server will deny the connection. If xfwp -does not define a sitepolicy, host-based authorization must be turned on +defined, if xfwp is using an X server where xhost + has been run to turn +off host-based authorization checks, when a client tries to connect to +this X server via xfwp, the X server will deny the connection. If xfwp +does not define a sitepolicy, host-based authorization must be turned on for clients to connect to an X server via the xfwp. .PP .SH INTEROPERATION WITH IP PACKET-FILTERING ROUTERS The whole purpose of the xfwp is to provide reliable control over access to Intranet X servers by clients originating outside the firewall. At -the present time, such access control is typically achieved by firewall +the present time, such access control is typically achieved by firewall configurations incorporating IP packet-filtering routers. Frequently, the rules for such filters deny access to X server ports (range 6000 - 6xxx) for all Intranet host machines. @@ -148,120 +148,120 @@ the rules for such filters deny access to X server ports (range 6000 - In order for xfwp to do its job, restrictions on access for ports 6001 - 6xxx must be removed from the rule-base of the IP packet-filtering router. [NOTE: xfwp only assigns ports in the range beginning with 6001; access to port -6000 on all Intranet hosts may continue to be denied.] This does not +6000 on all Intranet hosts may continue to be denied.] This does not mean the Intranet firewall will be opened for indiscriminate entry by X clients. Instead, xfwp supports a fully configurable rule-based access -control system, similar to that of the IP packet-filter router itself. +control system, similar to that of the IP packet-filter router itself. Xfwp in effect adds another level of packet-filtering control which is fully configurable and applies specifically to X traffic. See section -entitled CONFIGURATION FILE, below, for further details. +entitled CONFIGURATION FILE, below, for further details. .PP .SH INSTALLATION, SETUP AND TROUBLESHOOTING Xfwp is typically run as a background process on the Intranet firewall host. It can be launched using any of the command-line options described above. -As noted above, xfwp works only in conjunction with proxy manager and the +As noted above, xfwp works only in conjunction with proxy manager and the xfindproxy utility. It can also be configured to support a user-defined X server site security policy, in which the X server is required to indicate -to xfwp whether or not it supports the particular policy. Consult the -X server man pages for further information on these components. Xfwp -diagnostics can be turned on by compiling with the -DDEBUG switch. +to xfwp whether or not it supports the particular policy. Consult the +X server man pages for further information on these components. Xfwp +diagnostics can be turned on by compiling with the -DDEBUG switch. Connection status can be recorded by using the -logfile and -loglevel command line options. .PP -.SH PERFORMANCE, LOAD BALANCING AND RESOURCE MANAGEMENT -Xfwp manages four different kinds of connections: proxy manager (PM) data, -X client listen, X client data, and X server. The sysadmin employing xfwp -must understand how the resources for each of these connection types are -allocated and reclaimed by xfwp in order to optimize the availability of +.SH PERFORMANCE, LOAD BALANCING AND RESOURCE MANAGEMENT +Xfwp manages four different kinds of connections: proxy manager (PM) data, +X client listen, X client data, and X server. The sysadmin employing xfwp +must understand how the resources for each of these connection types are +allocated and reclaimed by xfwp in order to optimize the availability of xfwp service. -Each connection-type has a default number of allocation slots and +Each connection-type has a default number of allocation slots and a default timeout. The number of allocation slots for PM connections and X server connections is configurable via command line options. Connection timeouts are also configurable via command line options. -Each connection timeout represents the period the connection -will be allowed to remain open in the absence of any activity on that -connection. Whenever there is activity on a connection, the time-to-close -is automatically reset. The default distribution of total process connection +Each connection timeout represents the period the connection +will be allowed to remain open in the absence of any activity on that +connection. Whenever there is activity on a connection, the time-to-close +is automatically reset. The default distribution of total process connection slots across the four connection types, as well as the choice of default timeouts for the connection types, is governed by a number of assumptions -embedded in the xfwp use model. +embedded in the xfwp use model. The default number of PM connections is 10 and the default duration for PM connections is 3,600 -seconds (1 hour) for each connection after time of last activity. -At start-up, xfwp listens for PM connection requests on any non-reserved -port (default of 4444 if not specified on the xfwp command-line). The PM -normally connects to xfwp only when a call is made to the PM with xfindproxy. -Thereafter, the PM remains connected to xfwp, even after the messaging between -them has been completed, for the default connection duration period. In some +seconds (1 hour) for each connection after time of last activity. +At start-up, xfwp listens for PM connection requests on any non-reserved +port (default of 4444 if not specified on the xfwp command-line). The PM +normally connects to xfwp only when a call is made to the PM with xfindproxy. +Thereafter, the PM remains connected to xfwp, even after the messaging between +them has been completed, for the default connection duration period. In some cases this may result in depletion of available PM connection slots. If the sysadmin expects connections to a single xfwp from many PM's, -xfwp should be started using the -pdt command line option, with a timeout -value reflecting the desired duration that inactive connections will be -permitted to remain open. +xfwp should be started using the -pdt command line option, with a timeout +value reflecting the desired duration that inactive connections will be +permitted to remain open. -Xfwp client listeners are set up by a call to xfindproxy and continue to -listen for X client connection requests for a default duration of 86,400 +Xfwp client listeners are set up by a call to xfindproxy and continue to +listen for X client connection requests for a default duration of 86,400 seconds (24 hours) from the point of last activity. After this time they are automatically closed and their fd's recovered for future allocation. In addressing the question of how to choose some alternative timeout value which will guarantee the availability of client listen ports, sysadmins should take into consideration the expected delay between -the time when the listener was allocated (using xfindproxy) and the time +the time when the listener was allocated (using xfindproxy) and the time when a client actually attempts to connect to xfwp, as well the likelihood -that client listeners will be re-used after the initial client data -connection is closed. +that client listeners will be re-used after the initial client data +connection is closed. -Each client connection is allocated a default lifetime of 604,800 -seconds (7 * 24 hours) -from the point when it last saw activity. After this time it is +Each client connection is allocated a default lifetime of 604,800 +seconds (7 * 24 hours) +from the point when it last saw activity. After this time it is automatically closed and its fd's recovered for future allocation. -Because server connections are not actually established until a connection -request from a remote X client arrives at one of the xfwp's client listen +Because server connections are not actually established until a connection +request from a remote X client arrives at one of the xfwp's client listen ports, the client data timeout applies both to client-xfwp connections as well as to xfwp-server connections. If the system administrator expects many client data connections through xfwp, an overriding of the default timeout -should be considered. +should be considered. .PP -.SH CONFIGURATION FILE +.SH CONFIGURATION FILE The xfwp configuration file resides on the xfwp host machine and is used to determine whether X client data connection requests will be permitted or denied. The path to the file is specified at start-up -time. If no configuration file is specified, all X client data +time. If no configuration file is specified, all X client data connection requests routed through xfwp will be by default permitted, assuming that other X server authorization checks are successful. If -a configuration file is supplied but none of its entries matches the +a configuration file is supplied but none of its entries matches the connection request then the connection is by default denied. If a line in the configuration file begins with the '#' character -or a new-line character, the line is ignored and the evaluator will +or a new-line character, the line is ignored and the evaluator will skip the line. The configuration file supports two entirely independent authorization -checks: one which is performed by xfwp itself, and a second which is the +checks: one which is performed by xfwp itself, and a second which is the result of xfwp's querying the target X server. For the first of these, -the configuration file employs a syntax and semantic similar to that of IP +the configuration file employs a syntax and semantic similar to that of IP packet-filtering routers. It contains zero or more source-destination rules of the following form: .PP {permit | deny} <src> <src mask> [<dest> <dest mask> [<operator> <service>]] .sp .IP permit/deny 12 -the keywords ``permit'' or ``deny'' indicate whether the +the keywords ``permit'' or ``deny'' indicate whether the rule will enable or disable access, respectively .IP src 12 -the IP address against the host who originated the -connection request will be matched, expressed in IP +the IP address against the host who originated the +connection request will be matched, expressed in IP format (x.x.x.x) .IP "src mask" 12 a subnet mask, also in IP format, for further qualifying the source mask. Bits set in the mask indicate bits of the incoming address to be \fIignored\fP when comparing to the specified src .IP dest 12 -the IP address against which the destination of the -incoming connection request (i.e. the host IP of the +the IP address against which the destination of the +incoming connection request (i.e. the host IP of the X server to which the incoming client is attempting to connect) will be matched .IP "dest mask" 12 @@ -273,12 +273,12 @@ always ``eq'' (if the service field is not NULL) .IP service 12 one of the following three strings: ``pm'', ``fp'', or ``cd'', corresponding to proxy manager, xfindproxy, or -client data, respectively +client data, respectively .PP -For the second type of authorization check, the configuration file contains +For the second type of authorization check, the configuration file contains zero or more site policy rules of the following form: .PP -{require | disallow} sitepolicy <site_policy> +{require | disallow} sitepolicy <site_policy> .sp .IP require 12 specifies that the X server \fImust\fP be configured with \fIat least one\fP @@ -290,7 +290,7 @@ the corresponding site policies, else it must refuse the connection. a required keyword .IP "<site_policy>" 12 specifies the policy string. The string may contain any -combination of alphanumeric characters subject +combination of alphanumeric characters subject only to interpretation by the target X server .PP .SH RULES FOR EVALUATING THE XFWP CONFIGURATION FILE ENTRIES @@ -299,28 +299,28 @@ can be permitted or denied for each connection type based upon source and, optionally, destination and service. Each file entry must at a minimum specify the keyword ``permit'' or ``deny'' and the two source fields. The -destination and service fields can be used to provide finer-grained +destination and service fields can be used to provide finer-grained access control if desired. .PP -The algorithm for rule-matching is as follows: +The algorithm for rule-matching is as follows: .PP .RS 3 while (more entries to check) { if ((<originator IP> AND (NOT <src mask>)) == src) - [if ((<dest X server IP> AND (NOT <dest mask>)) == dest)] + [if ((<dest X server IP> AND (NOT <dest mask>)) == dest)] [if (service fields present and matching)] do either permit or deny connection depending on keyword else - continue + continue } - if (no rule matches) + if (no rule matches) deny connection .RE .PP If a permit or deny rule does not specify a service and operation, then -the rule applies to all services. If a configuration file is specified -and it contains at least one valid deny or permit rule, then a host +the rule applies to all services. If a configuration file is specified +and it contains at least one valid deny or permit rule, then a host that is not explicitly permitted will be denied a connection. .PP Site policy configuration checking constitutes a separate (and X server @@ -335,11 +335,11 @@ same type; that is, a single rule file cannot have both ``require'' and permit connection else deny connection - else + else if (keyword == require) deny connection else - permit connection + permit connection .RE .PP The site policy check is performed by xfwp only if the source-destination @@ -351,7 +351,7 @@ EXAMPLES .sp \fC .nf -\&# if and only if server supports one of these policies then authorize +\&# if and only if server supports one of these policies then authorize \&# connections, but still subject to applicable rule matches \&# require sitepolicy policy1 @@ -367,25 +367,25 @@ deny 8.7.6.5 0.0.0.0 0.0.0.0 255.255.255.255 eq pm \&# fp service is explicitly qualified, line must include source fields \&# as shown.] \&# -permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq fp +permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq fp \&# -\&# permit all connection types originating from the 192.0.0.0 -\&# IP domain only +\&# permit all connection types originating from the 192.0.0.0 +\&# IP domain only \&# -permit 192.0.0.0 0.255.255.255 +permit 192.0.0.0 0.255.255.255 .fi \fP .PP Care should be taken that source-destination rules are written in the correct order, as the first matching rule will be applied. In addition to parser syntax checking, a special command-line switch (-verify) has been provided -to assist the sysadmin in determining which rule was actually matched. +to assist the sysadmin in determining which rule was actually matched. .PP .SH BUGS .PP Xfwp should check server site policy and security extension before -allocating a listen port. -.PP +allocating a listen port. +.PP .SH SEE ALSO xfindproxy (1), Proxy Management Protocol spec V1.0, proxymngr(1), Xserver(1) .SH AUTHOR |