Skip Menu |
 

Subject: Add signal to force KDC to check for changed interfaces
Needed for when the KDC is on a client machine which changes networks (LKDC).
Download LW_net_trans.patch
text/plain 5.6KiB
diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.c 2006-11-16 14:54:22.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.c 2006-11-16 19:02:36.000000000 -0800
@@ -40,3 +40,4 @@

volatile int signal_requests_exit = 0; /* gets set when signal hits */
volatile int signal_requests_hup = 0; /* ditto */
+volatile int signal_requests_network = 0; /* ditto (SIGUSR1) */
diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.h Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.h 2006-11-16 14:54:22.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.h 2006-11-16 19:02:36.000000000 -0800
@@ -96,4 +96,5 @@

extern volatile int signal_requests_exit;
extern volatile int signal_requests_hup;
+extern volatile int signal_requests_network;
#endif /* __KRB5_KDC_EXTERN__ */
diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/main.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/main.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/main.c 2006-11-16 14:54:22.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/main.c 2006-11-16 19:12:43.000000000 -0800
@@ -56,6 +56,7 @@

krb5_sigtype request_exit (int);
krb5_sigtype request_hup (int);
+krb5_sigtype request_network (int);

void setup_signal_handlers (void);

@@ -371,6 +372,18 @@
#endif
}

+krb5_sigtype
+request_network(int signo)
+{
+ signal_requests_network = 1;
+
+#ifdef POSIX_SIGTYPE
+ return;
+#else
+ return(0);
+#endif
+}
+
void
setup_signal_handlers(void)
{
@@ -382,12 +395,15 @@
(void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL);
s_action.sa_handler = request_hup;
(void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL);
+ s_action.sa_handler = request_network;
+ (void) sigaction(SIGUSR1, &s_action, (struct sigaction *) NULL);
s_action.sa_handler = SIG_IGN;
(void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL);
#else /* POSIX_SIGNALS */
signal(SIGINT, request_exit);
signal(SIGTERM, request_exit);
signal(SIGHUP, request_hup);
+ signal(SIGUSR1, request_network);
signal(SIGPIPE, SIG_IGN);
#endif /* POSIX_SIGNALS */

diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/network.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/network.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/network.c 2006-11-16 14:54:22.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/network.c 2006-11-16 19:02:36.000000000 -0800
@@ -207,7 +207,7 @@
(set.data[idx] = set.data[--set.n], 0)

#define FREE_SET_DATA(set) if(set.data) free(set.data); \
- (set.data = 0, set.max = 0)
+ (set.data = 0, set.max = 0, set.n = 0)


/* Set<struct connection *> connections; */
@@ -222,6 +222,8 @@

static struct select_state sstate;

+static int getcurtime (struct timeval *tvp);
+
static krb5_error_code add_udp_port(int port)
{
int i;
@@ -1066,17 +1068,42 @@
that junk on the stack. */
static struct select_state sout;
int i, sret;
+ int netchanged;
krb5_error_code err;

- if (conns == (struct connection **) NULL)
- return KDC5_NONET;
-
+ netchanged = 0;
+ if (conns == (struct connection **) NULL){
+ sleep(30);
+ err = setup_network(prog);
+ if (conns == (struct connection **) NULL)
+ return KDC5_NONET;
+ if (err){
+ com_err(prog, err,"while initalizing the network");
+ return err;
+ }
+ }
+
while (!signal_requests_exit) {
if (signal_requests_hup) {
krb5_klog_reopen(kdc_context);
signal_requests_hup = 0;
}
- sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0;
+
+
+ if (signal_requests_network) {
+ com_err(prog, EINTR, "signal_requests_network recieved");
+ err = getcurtime(&(sstate.end_time));
+ if(err) {
+ com_err(prog, err, "while getting the time");
+ continue;
+ }
+ sstate.end_time.tv_sec += 3;
+ netchanged = 1;
+ } else {
+ sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0;
+ }
+
+
err = krb5int_cm_call_select(&sstate, &sout, &sret);
if (err) {
com_err(prog, err, "while selecting for network input(1)");
@@ -1087,6 +1114,17 @@
com_err(prog, errno, "while selecting for network input(2)");
continue;
}
+ if(netchanged && (sret == 0)) {
+ signal_requests_network = 0;
+ (void)closedown_network(prog);
+ err = setup_network(prog);
+ if(err) {
+ com_err(prog, err, "while re-initializing network");
+ return err;
+ }
+ netchanged = 0;
+ }
+
nfound = sret;
for (i=0; i<n_sockets && nfound > 0; i++) {
int sflags = 0;
@@ -1129,4 +1167,24 @@
return 0;
}

+// stolen from sendto_kdc.c
+static int getcurtime (struct timeval *tvp)
+{
+#ifdef _WIN32
+ struct _timeb tb;
+ _ftime(&tb);
+ tvp->tv_sec = tb.time;
+ tvp->tv_usec = tb.millitm * 1000;
+ /* Can _ftime fail? */
+ return 0;
+#else
+ if (gettimeofday(tvp, 0)) {
+ //dperror("gettimeofday");
+ return errno;
+ }
+ return 0;
+#endif
+}
+
+
#endif /* INET */
Date: Tue, 8 Jul 2008 16:55:43 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6019] Add signal to force KDC to check for changed interfaces
RT-Send-Cc:
Download (untitled) / with headers
text/plain 6.2KiB
Or use a PF_ROUTE socket?

On Mon, Jul 07, 2008 at 04:19:32PM -0400, Alexandra Ellwood via RT wrote:
Show quoted text
> diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.c
> --- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.c 2006-11-16 14:54:22.000000000 -0800
> +++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.c 2006-11-16 19:02:36.000000000 -0800
> @@ -40,3 +40,4 @@
>
> volatile int signal_requests_exit = 0; /* gets set when signal hits */
> volatile int signal_requests_hup = 0; /* ditto */
> +volatile int signal_requests_network = 0; /* ditto (SIGUSR1) */
> diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.h Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.h
> --- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/extern.h 2006-11-16 14:54:22.000000000 -0800
> +++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/extern.h 2006-11-16 19:02:36.000000000 -0800
> @@ -96,4 +96,5 @@
>
> extern volatile int signal_requests_exit;
> extern volatile int signal_requests_hup;
> +extern volatile int signal_requests_network;
> #endif /* __KRB5_KDC_EXTERN__ */
> diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/main.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/main.c
> --- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/main.c 2006-11-16 14:54:22.000000000 -0800
> +++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/main.c 2006-11-16 19:12:43.000000000 -0800
> @@ -56,6 +56,7 @@
>
> krb5_sigtype request_exit (int);
> krb5_sigtype request_hup (int);
> +krb5_sigtype request_network (int);
>
> void setup_signal_handlers (void);
>
> @@ -371,6 +372,18 @@
> #endif
> }
>
> +krb5_sigtype
> +request_network(int signo)
> +{
> + signal_requests_network = 1;
> +
> +#ifdef POSIX_SIGTYPE
> + return;
> +#else
> + return(0);
> +#endif
> +}
> +
> void
> setup_signal_handlers(void)
> {
> @@ -382,12 +395,15 @@
> (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL);
> s_action.sa_handler = request_hup;
> (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL);
> + s_action.sa_handler = request_network;
> + (void) sigaction(SIGUSR1, &s_action, (struct sigaction *) NULL);
> s_action.sa_handler = SIG_IGN;
> (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL);
> #else /* POSIX_SIGNALS */
> signal(SIGINT, request_exit);
> signal(SIGTERM, request_exit);
> signal(SIGHUP, request_hup);
> + signal(SIGUSR1, request_network);
> signal(SIGPIPE, SIG_IGN);
> #endif /* POSIX_SIGNALS */
>
> diff -uNr -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/network.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/network.c
> --- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/network.c 2006-11-16 14:54:22.000000000 -0800
> +++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/network.c 2006-11-16 19:02:36.000000000 -0800
> @@ -207,7 +207,7 @@
> (set.data[idx] = set.data[--set.n], 0)
>
> #define FREE_SET_DATA(set) if(set.data) free(set.data); \
> - (set.data = 0, set.max = 0)
> + (set.data = 0, set.max = 0, set.n = 0)
>
>
> /* Set<struct connection *> connections; */
> @@ -222,6 +222,8 @@
>
> static struct select_state sstate;
>
> +static int getcurtime (struct timeval *tvp);
> +
> static krb5_error_code add_udp_port(int port)
> {
> int i;
> @@ -1066,17 +1068,42 @@
> that junk on the stack. */
> static struct select_state sout;
> int i, sret;
> + int netchanged;
> krb5_error_code err;
>
> - if (conns == (struct connection **) NULL)
> - return KDC5_NONET;
> -
> + netchanged = 0;
> + if (conns == (struct connection **) NULL){
> + sleep(30);
> + err = setup_network(prog);
> + if (conns == (struct connection **) NULL)
> + return KDC5_NONET;
> + if (err){
> + com_err(prog, err,"while initalizing the network");
> + return err;
> + }
> + }
> +
> while (!signal_requests_exit) {
> if (signal_requests_hup) {
> krb5_klog_reopen(kdc_context);
> signal_requests_hup = 0;
> }
> - sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0;
> +
> +
> + if (signal_requests_network) {
> + com_err(prog, EINTR, "signal_requests_network recieved");
> + err = getcurtime(&(sstate.end_time));
> + if(err) {
> + com_err(prog, err, "while getting the time");
> + continue;
> + }
> + sstate.end_time.tv_sec += 3;
> + netchanged = 1;
> + } else {
> + sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0;
> + }
> +
> +
> err = krb5int_cm_call_select(&sstate, &sout, &sret);
> if (err) {
> com_err(prog, err, "while selecting for network input(1)");
> @@ -1087,6 +1114,17 @@
> com_err(prog, errno, "while selecting for network input(2)");
> continue;
> }
> + if(netchanged && (sret == 0)) {
> + signal_requests_network = 0;
> + (void)closedown_network(prog);
> + err = setup_network(prog);
> + if(err) {
> + com_err(prog, err, "while re-initializing network");
> + return err;
> + }
> + netchanged = 0;
> + }
> +
> nfound = sret;
> for (i=0; i<n_sockets && nfound > 0; i++) {
> int sflags = 0;
> @@ -1129,4 +1167,24 @@
> return 0;
> }
>
> +// stolen from sendto_kdc.c
> +static int getcurtime (struct timeval *tvp)
> +{
> +#ifdef _WIN32
> + struct _timeb tb;
> + _ftime(&tb);
> + tvp->tv_sec = tb.time;
> + tvp->tv_usec = tb.millitm * 1000;
> + /* Can _ftime fail? */
> + return 0;
> +#else
> + if (gettimeofday(tvp, 0)) {
> + //dperror("gettimeofday");
> + return errno;
> + }
> + return 0;
> +#endif
> +}
> +
> +
> #endif /* INET */
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
From: Ken Raeburn <raeburn@MIT.EDU>
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6019] Add signal to force KDC to check for changed interfaces
Date: Wed, 9 Jul 2008 13:50:29 -0400
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
On Jul 8, 2008, at 17:55, Nicolas Williams via RT wrote:
Show quoted text
> Or use a PF_ROUTE socket?

I'm not terribly familiar with using PF_ROUTE sockets, but from a
quick read of the route(4) man page, I suspect it would work, and
would be more automated than having to send a signal.

At least one ipsec package doesn't visibly update the routing table
when tunnels are brought up and new addresses assigned -- but then, it
doesn't make the new addresses visible either, so we're no worse off.

Maybe lxs should check with Apple and see if they have a reason for
not doing it this way. I'd guess it probably was easier than trying
to untangle our network handling callback setup, but I'd have no such
excuse. :)

A minor problem with the Apple patch -- or any revised one that still
uses closedown_network/setup_network -- is that it'll discard any
pending requests over UDP that have been queued by the kernel but not
yet read by the KDC. I'd have to dig into the code to figure out if
open TCP connections get closed, get serviced, or get ignored; my
guess is they'll get closed.

Discarded UDP packets would get retransmitted by the client; that's
okay. Closed TCP connections won't be retried by an MIT client (to
the same KDC address), but usually UDP will be getting tried as well,
unless we've got too much PAC data. Ignored TCP connections would
waste resources on the KDC. It would be nicer to only close down the
listening sockets where we no longer own the address, so we never stop
listening, but...

I'm also not 100% sure that closedown_network does a full cleanup.

getcurtime should probably become an inline function in one of the
headers, it's a trivial enough thing and we should avoid the code
duplication.
From: Ken Raeburn <raeburn@MIT.EDU>
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6019] Add signal to force KDC to check for changed interfaces
Date: Wed, 9 Jul 2008 15:16:26 -0400
RT-Send-Cc:
(And of course insert once again my request for IP_PKTINFO support in
the Darwin kernel, which would make all this unnecessary, on the Mac
at least.)
From: raeburn@mit.edu
Subject: SVN Commit

In FREE_SET_DATA, reset the current count as well.
Commit By: raeburn



Revision: 20514
Changed Files:
U trunk/src/kdc/network.c
From: raeburn@mit.edu
Subject: SVN Commit

On systems with struct rt_msghdr, open a routing socket and wait for
messages; when they come in, if the types suggest a possibility of
network interface reconfiguration, shut down the KDC's networking and
bring it back up again, rescanning the interfaces in the process.

Leaving the ticket open because it should be improved:
* It should only close down sockets on addresses we no longer have, and
bring up sockets only on new addresses.
* If we have IPV6_PKTINFO support, it should only listen for IPv4
routing changes.
* If we also have IP_PKTINFO support, it shouldn't be used at all.
* If we build a KDC on a system with neither struct rt_msghdr nor
IP_PKTINFO (do we have any such?), we'll need another solution.

Thanks to Nico Williams for the routing socket suggestion, and Apple
for the initial (signal-driven) reconfiguration code.
Commit By: raeburn



Revision: 20540
Changed Files:
U trunk/src/configure.in
U trunk/src/kdc/network.c
Basic problem should be addressed (at least on our main OSes) by the patch checked in.

Ticket 6039 addresses some desirable refinements and cleanup.