[Nut-upsuser] ACL problem
Charles Lepple
clepple at gmail.com
Sat Dec 22 17:17:52 UTC 2007
On Dec 21, 2007 11:07 AM, Ricardo Bugalho <ricardo at lip.pt> wrote:
> Hello,
> I'm unable to connect to upsd from anywhere except localhost and the
> debugging output is a bit weird. It looks like acl_check doesn't match
> even against 0/0.
>
> Here's my ACL on upsd.conf:
>
> ACL all 0.0.0.0/0
> ACL localhost 127.0.0.1/32
> ACL lan 10.0.0.0/255.0.0.0
>
> ACCEPT localhost lan
> REJECT all
>
>
> Here's the output from upsd -DDDD for a request from localhost:
> acl_check: localhost: match 1
> ACL [localhost] matches, action=1
> Connection from ::ffff:127.0.0.1
> acl_check: localhost: match 1
> ACL [localhost] matches, action=1
> write: [destfd=7] [len=24] [BEGIN LIST VAR core-ups
> ]
> write: [destfd=7] [len=34] [VAR core-ups battery.charge "100"
> ]
> [....]
> write: [destfd=7] [len=22] [END LIST VAR core-ups
> ]
> acl_check: localhost: match 1
> ACL [localhost] matches, action=1
> Client on ::ffff:127.0.0.1 logged out
> write: [destfd=7] [len=11] [OK Goodbye
> ]
>
> Here's the output from a request from another host:
> acl_check: localhost: match 0
> acl_check: lan: match 0
> acl_check: all: match 0
> Rejecting TCP connection from ::ffff:10.11.8.101
>
> My question being: why isn't it matching against any of the ACLs?
It could be something unexpected in how the IPv4-in-IPv6 mapping
works. (Note that all of your IP addresses printed by NUT are prefixed
with "::ffff:", which comes from the C library's inet_ntoa function.)
While the 2.0.5 code looks at the bits in the address, there is still
a chance for something weird since it was written for IPv4 and the
sockets are most likely IPv6 with an IPv4 address.
> I'm using nut 2.0.5, built for CentOS5 from the src.rpm for Fedora Core
> 9.
Is there a chance you can try this with the latest release (2.2.1),
which has some patches suggested by RedHat to improve IPv6 support?
There is a nut.spec in nut-2.2.1/packaging/redhat/ which you can drop
into RPM/SPECS. (Unfortunately, "rpmbuild -ta" probably won't work
because we have three variants of nut.spec in the tarball.)
It has been a while since I did any substantial RedHat packaging work,
but if you need help building an RPM from source without the .srpm,
try emailing the list again, as there are often RPM-savvy readers
listening.
--
- Charles Lepple
More information about the Nut-upsuser
mailing list