fwtool: fix dns lookups

dig +short actually returns the ip with any cname, recursion bit was
wrong.

diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index 1131f20..5d2155c 100644 (file)
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -88,6 +88,9 @@ fun query (node, uname) =
            (List.filter (fn (User u, FirewallNode n, _) => u = uname andalso n = node) rules)
     end
 
+fun validIp (ip, ipv6) = (case ipv6 of FwIPv6 => Domain.validIpv6 ip
+                                    | FwIPv4 =>  Domain.validIp ip)
+
 fun dnsExists dnsRR dnsRecord =
     let
        val dnsRR_string = case dnsRR of
@@ -97,19 +100,15 @@ fun dnsExists dnsRR dnsRecord =
        (* timeout chosen arbitrarilty, shorter is better if it's reliable *)
        (* dig outputs true even if the lookup fails, but no output in short mode should work *)
        case Slave.runOutput (Config.Firewall.dig, ["+short", "+timeout=3", "-t", dnsRR_string, dnsRecord]) of
-           (_, SOME s) => (case Domain.validDomain (substring (s, 0, size s - 2)) of (* delete trailing . from cname *)
-                               true => dnsExists dnsRR s (* dig will return CNAME, must recurse *)
-                             | false => true) (* maybe also double check ip? use size s - 1 if so! *)
-
-         | (_, NONE) => false
+           (_, SOME s) => (validIp (List.last (String.tokens Char.isSpace s), dnsRR))
+         | (x, NONE) => false
     end
 
 fun fermVariable x = String.isPrefix "$" x
 fun filterHosts (hosts, ipv6) =
-    List.filter (fn host => fermVariable host
-                           orelse (case ipv6 of FwIPv6 => Domain.validIpv6 host
-                                              | FwIPv4 =>  Domain.validIp host)
-                           orelse dnsExists ipv6 host)
+    List.filter (fn host => (fermVariable host
+                            orelse validIp (host, ipv6)
+                            orelse dnsExists ipv6 host))
                hosts
 
 
@@ -217,7 +216,7 @@ fun generateFirewallConfig rules =
                TextIO.output (tcp_inf, "proto tcp mod comment comment \"user:" ^ uname ^ "\" {\n");
                TextIO.output (tcp_inf, concat lines);
                TextIO.output (tcp_inf, "\n}\n\n")
-           end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n" (* no sense in opening ports for bad users *)
+           end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n") (* no sense in opening ports for bad users *)
 
        fun writeUserOutRules tcp_outf (uname, lines) =
            let
@@ -226,7 +225,7 @@ fun generateFirewallConfig rules =
                TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto tcp {\n");
                TextIO.output (tcp_outf, concat lines);
                TextIO.output (tcp_outf, "\nDROP;\n}\n\n")
-           end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n"
+           end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n")
 
     in
        write_tcp_in_conf_preamble (users_tcp_in_conf);