[Nut-upsuser] ACL problem

Richard Chapman rchapman at aardvark.com.au
Sun Dec 23 06:03:44 UTC 2007 

Hi all

Is the syntax:

ACL lan 10.0.0.0/255.0.0.0

allowed and correct? Shouldn't it be:

ACL lan 10.0.0.0/8

If both notations are allowed in the same syntax - it is news to me - but then many things are news to me...:-)


Richard.



Charles Lepple wrote:
> On Dec 21, 2007 11:07 AM, Ricardo Bugalho <ricardo at lip.pt> wrote:
>   
>> Hello,
>> I'm unable to connect to upsd from anywhere except localhost and the
>> debugging output is a bit weird. It looks like acl_check doesn't match
>> even against 0/0.
>>
>> Here's my ACL on upsd.conf:
>>
>> ACL all 0.0.0.0/0
>> ACL localhost 127.0.0.1/32
>> ACL lan 10.0.0.0/255.0.0.0
>>
>> ACCEPT localhost lan
>> REJECT all
>>
>>
>> Here's the output from upsd -DDDD for a request from localhost:
>> acl_check: localhost: match 1
>> ACL [localhost] matches, action=1
>> Connection from ::ffff:127.0.0.1
>> acl_check: localhost: match 1
>> ACL [localhost] matches, action=1
>> write: [destfd=7] [len=24] [BEGIN LIST VAR core-ups
>> ]
>> write: [destfd=7] [len=34] [VAR core-ups battery.charge "100"
>> ]
>> [....]
>> write: [destfd=7] [len=22] [END LIST VAR core-ups
>> ]
>> acl_check: localhost: match 1
>> ACL [localhost] matches, action=1
>> Client on ::ffff:127.0.0.1 logged out
>> write: [destfd=7] [len=11] [OK Goodbye
>> ]
>>
>> Here's the output from a request from another host:
>> acl_check: localhost: match 0
>> acl_check: lan: match 0
>> acl_check: all: match 0
>> Rejecting TCP connection from ::ffff:10.11.8.101
>>
>> My question being: why isn't it matching against any of the ACLs?
>>     
>
> It could be something unexpected in how the IPv4-in-IPv6 mapping
> works. (Note that all of your IP addresses printed by NUT are prefixed
> with "::ffff:", which comes from the C library's inet_ntoa function.)
> While the 2.0.5 code looks at the bits in the address, there is still
> a chance for something weird since it was written for IPv4 and the
> sockets are most likely IPv6 with an IPv4 address.
>
>   
>> I'm using nut 2.0.5, built for CentOS5 from the src.rpm for Fedora Core
>> 9.
>>     
>
> Is there a chance you can try this with the latest release (2.2.1),
> which has some patches suggested by RedHat to improve IPv6 support?
> There is a nut.spec in nut-2.2.1/packaging/redhat/ which you can drop
> into RPM/SPECS. (Unfortunately, "rpmbuild -ta" probably won't work
> because we have three variants of nut.spec in the tarball.)
>
> It has been a while since I did any substantial RedHat packaging work,
> but if you need help building an RPM from source without the .srpm,
> try emailing the list again, as there are often RPM-savvy readers
> listening.
>
>

More information about the Nut-upsuser mailing list