[Swan-dev] get rid of getnetbyname() /etc/networks?

Tue May 4 01:15:47 UTC 2021

On Sun, 2 May 2021 at 15:55, Paul Wouters <paul at nohats.ca> wrote:

> On Sun, 2 May 2021, D. Hugh Redelmeier wrote:
>
> > Subject: [Swan-dev] get rid of getnetbyname() /etc/networks?
> >
> > Comments I added recently:
> >
> > +     /*
> > +      * try a name from /etc/networks
> > +      *
> > +      * Seems pretty obsolete:
> > +      * - latest RFC, 1101, dated April 1989
> > +      * - IPv4 only
> > +      * - doesn't support classless networks
> > +      * - Window has it
> > +      */
> >
> > We are using this as a fallback when DNS doesn't resolve a name.
> > We are not even using it to find a network, only an IP address.
>
> kill it :)
>
> Related, there are still a few places that end up calling
> gethostbyname2() which is also obsolete and does not work for IPv6:
>
> lib/libswan/ttoaddress.c:       struct hostent *h = gethostbyname2(p, af);
>
> programs/showhostkey/showhostkey.c:     gethostname(qname, sizeof(qname));
>
> The case in ttoaddress.c is the main one. Since it is used by
> ttoaddress_dns() which is used in many places, we cannot replace it
> with an async libunbound call. And to do a sync unbound call, last I
> looked at this years ago, we would have to start another libunbound
> context which gets its own cachce. Also, it would mean people can no
> longer compile without libunbound. I guess the best fix would be to
> rewrite it to use getaddrinfo() or res_ functions?
>
>
Not as many as you might think.  Must are in the command line utilities.

For pluto, we've now got a pretty good handle on keeping whack attached,
going through the event loop may be less pain than expected.  Any way,
these are the calls:

$ find * -type f -name '*.c' -print | xargs grep -B2 -A2 'ttoaddress_dns('

connections.c- case KH_IPHOSTNAME:
connections.c- {
connections.c: err_t er = ttoaddress_dns(shunk1(dst->host_addr_name),
connections.c-     address_type(&dst->host_addr),
connections.c-     &dst->host_addr);

this is extract_end().

--

host_pair.c-
host_pair.c- if (d->dnshostname == NULL ||
host_pair.c:    ttoaddress_dns(shunk1(d->dnshostname),
host_pair.c-      address_type(&d->spd.that.host_addr), &new_addr) != NULL
||
host_pair.c-    sameaddr(&new_addr, &hp->remote))

This is update_host_pairs(), it's called from restart_connections_by_peer()
and connection_check_ddns1() so the code is already event loop aware.

--

ikev2_redirect.c- }
ikev2_redirect.c-
ikev2_redirect.c: err_t ugh = ttoaddress_dns(shunk2(gw_str,
gw_info.gw_identity_len),
ikev2_redirect.c-   NULL/*UNSPEC*/, redirect_ip);
ikev2_redirect.c- if (ugh != NULL)

in parse_redirect_payload(), so knee deep in event loop goop.

--

initiate.c- }
initiate.c-
initiate.c: e = ttoaddress_dns(shunk1(c->dnshostname), NULL/*UNSPEC*/,
&new_addr);
initiate.c- if (e != NULL) {
initiate.c- connection_buf cib;

Hmm, connection_check_ddns1(), connection_check_ddns1(), now where have I
heard that name before?
Oh, look, further down the code calls update_host_pair() which calls, wait
for it, ttoaddress_dns().

--

plutomain.c- {
plutomain.c- ip_address rip;
plutomain.c: check_err(ttoaddress_dns(shunk1(optarg), NULL/*UNSPEC*/, &rip),
plutomain.c-  longindex, logger);
plutomain.c- set_global_redirect_dests(optarg);

It is parsing --global-redirect-to.  It is also probably the one case where
a call to ttoaddress_dns() is valid.
OTOH,  having no calls to ttoaddress_dns() in pluto would be nice.

--

rcv_whack.c-
rcv_whack.c- if (m->remote_host != NULL) {
rcv_whack.c: oops = ttoaddress_dns(shunk1(m->remote_host), NULL/*UNSPEC*/,
&testip);
rcv_whack.c-
rcv_whack.c- if (oops != NULL) {

This is weird.  It is pre-checking that the host is valid before calling
initiate_connections_by_name().
Why bother?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210503/adb43df8/attachment.html>