Bug 982345 - hosts.allow manual has wrong syntax for ipv6 net/prefixlen
hosts.allow manual has wrong syntax for ipv6 net/prefixlen
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: tcp_wrappers (Show other bugs)
19
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-08 14:36 EDT by John Heidemann
Modified: 2014-05-20 01:53 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-20 01:53:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
correct manual page (893 bytes, patch)
2013-07-08 14:36 EDT, John Heidemann
no flags Details | Diff

  None (edit)
Description John Heidemann 2013-07-08 14:36:16 EDT
Description of problem:

hosts.allow(5) says 
  An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a
  `[net/prefixlen]\' pair.
but the syntax that works is
  [n:n:n:n:n:n:n:n]/m
with the ] before the /

(The [n/m] syntax is SILENTLY IGNORED.)

Version-Release number of selected component (if applicable):
tcp_wrappers-libs-7.6-73.fc19.x86_64

but the problem also exists under Fedora 18 (and maybe earlier).
(The man page is correct in REHL 6.4)

How reproducible:
Every time.

Steps to Reproduce:
1. put sshd: [2001::/16] in /etc/hosts.allow
2. ssh to your box from something with a 2001: IPv6 address
3. be sad when it fails to let you in
4. change to sshd: [2001::]/16
5. rejoice because you and the 50 other IPv6 users can now get in

Actual results:
hosts.allow blocks access if you follow the manual.

Expected results:
following the manual should work.

Additional info:
Patch to the manual page is attached.
Comment 1 John Heidemann 2013-07-08 14:36:49 EDT
Created attachment 770610 [details]
correct manual page
Comment 2 Petr Lautrbach 2013-07-09 11:43:10 EDT
I can't reproduce this, both expressions work for me:

# echo '' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
ssh_exchange_identification: Connection closed by remote host

# echo 'sshd: [2620::]/16' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
IPv6 addr/mask: 2620::/16
Last login: Tue Jul  9 17:33:39 2013 from rawhide-devel.virt
# logout
Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed.

# echo 'sshd: [2620::/16]' > /etc/hosts.allow
# ssh 2620:52:0:2202:221:9bff:fe36:7a22
IPv6 addr/mask: 2620::/16
Last login: Tue Jul  9 17:36:01 2013 from rawhide-devel.virt
# logout
Connection to 2620:52:0:2202:221:9bff:fe36:7a22 closed.

# rpm -q tcp_wrappers
tcp_wrappers-7.6-73.fc19.x86_64
Comment 3 John Heidemann 2013-07-09 23:48:02 EDT
Hmmm... it Still Doesn't Work For Me.
But a correction to my bug report:
I can reproduce the failure consistently with F18 on both client and server, not F19:
tcp_wrappers-7.6-70.fc18.x86_64

It looks like your reproduction was done all on one box.
My test case is between two different boxes.
Is it possible you're getting some kind of short-circuit to localhost6?

Specific test case on the server (at 2001:4:5:6::7) is:
# works with next line uncommented
sshd: [2001:1:2:3::]/64
# fails if above line is commented and next line is left in
sshd: [2001:1:2:3::/64]

and login attempts from 2001:1:2:3::4 as
ssh 2001:4:5:6::7 date

(not the actual addresses)

Maybe both are supported in F19?  (Fix between -70 and 73?)
Comment 4 Petr Lautrbach 2013-07-10 02:49:18 EDT
You're right, there's a change in the parser between F18 and F19. But, the hosts_access (5) man page on F18 says:

# zgrep -A 6 'An expression of the form `\[n:n:n' /usr/share/man/man5/hosts_access.5.gz
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
`[net]/prefixlen\' pair. An IPv6 host address is matched if
`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
address. For example, the [net]/prefixlen pattern
`[3ffe:505:2:1::]/64\' matches every address in the range
`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
.IP \(bu


# rpm -qf /usr/share/man/man5/hosts_access.5.gz 
tcp_wrappers-libs-7.6-70.fc18.x86_64


This is correct and it works and expected. Is it possible that you have some local changes? Try

# rpm -V tcp_wrappers-libs
Comment 5 John Heidemann 2013-07-10 10:36:48 EDT
Wow, this is crazy.  You say the parser is changing and now supports both.  Apparently the man page, too, has changed.

On a current F18 box:
f18> zcat /usr/share/man/man5/hosts_access.5.gz |grep 'n:n'
An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
f18> rpm -qf /usr/share/man/man5/hosts_access.5.gz
tcp_wrappers-libs-7.6-70.fc18.x86_64


On a F19 box:
f19> zcat /usr/share/man/man5/hosts_access.5.gz |grep n:n
An expression of the form `[n:n:n:n:n:n:n:n/m]\' is interpreted as a
f19> rpm -qf /usr/share/man/man5/hosts_access.5.gz 
tcp_wrappers-libs-7.6-73.fc19.x86_64
tcp_wrappers-libs-7.6-73.fc19.i686

rpm -V tcp_wrappers-libs produces no output on both boxes

IMHO the man page should track what works in both cases
(that is [n:n:n:n:n:n:n:n/m])
but one could also argue we should just track upstream.
Comment 6 John Heidemann 2014-05-20 01:53:33 EDT
closed out as fixed in F20

Note You need to log in before you can comment on or make changes to this bug.