I just patched my copy of syslog-ng-1.5.10 to use tcp wrappers - I want to strictly control who is allowed to talk to my log server, and since we do everything else at my shop with TCP wrappers, it seemed sensible to add it in. I am running NetBSD 1.5.2, which provides the tcp wrappers code as part of the base OS. The only other change needed was to add "-lwrap" to the link flags. Is there interest in this feature? The patch below is only for incoming TCP connections - I don't see the point of putting it in for udp, as the packets are trivially spoofable. I haven't had much time to review the syslog-ng code, so I suspect this is not the best way to apply the patch: on second thought, it seems it might belong in libol. -- Ed --- afinet.c 2001/10/27 01:57:51 1.1 +++ afinet.c 2001/10/27 03:29:11 @@ -28,6 +28,13 @@ #include "cfgfile.h" #include "pkt_buffer.h" +#ifndef WE_DONT_WANT_TCP_WRAPPERS +#include "tcpd.h" +int allow_severity; +int deny_severity; +#endif + + #include <errno.h> #include <string.h> #include <assert.h> @@ -210,6 +217,23 @@ CAST(afinet_source, self, c); struct afsocket_source_connection *conn; UINT32 res; + + +#ifndef WE_DONT_WANT_TCP_WRAPPERS + { + struct request_info req; + + request_init(&req, RQ_DAEMON, "syslog-ng", RQ_FILE, client->super.fd, 0); + fromhost(&req); + if (hosts_access(&req) == 0) + { + CAST(inet_address_info, inet_addr, client_addr); + notice("connection from %S:%i refused by hosts_access()\n", inet_addr->ip, inet_addr->port); + close_fd(&client->super, 0); + return ST_OK | ST_GOON; + } + } +#endif if (c->num_connections >= c->max_connections) { CAST(inet_address_info, inet_addr, client_addr);