Ticket #366: 0001-avahi-daemon-add-support-for-whitelisting-and-blackl.patch

avahi-core/addr-util.h

@@ -25 +25 @@
 
 #include <avahi-common/cdecl.h>
 #include <avahi-common/address.h>
+#include <avahi-common/llist.h>
 
 AVAHI_C_DECL_BEGIN
 
@@ -42 +43 @@
  * returns 1 if yes, 0 otherwise */
 int avahi_address_is_link_local(const AvahiAddress *a);
 
+typedef struct AvahiAddressList AvahiAddressList;
+
+struct AvahiAddressList {
+    AvahiAddress address;
+    AVAHI_LLIST_FIELDS(AvahiAddressList, address);
+};
+
 AVAHI_C_DECL_END
 
 #endif

avahi-core/core.h

@@ -31 +31 @@
 #include <avahi-common/watch.h>
 #include <avahi-common/timeval.h>
 #include <avahi-core/rr.h>
+#include <avahi-core/addr-util.h>
 
 AVAHI_C_DECL_BEGIN
 
@@ -48 +49 @@
     int use_ipv6;                     /**< Enable IPv6 support */
     AvahiStringList *allow_interfaces;/**< Allow specific interface to be used for Avahi */
     AvahiStringList *deny_interfaces; /**< Deny specific interfaces to be used for Avahi */
+    AVAHI_LLIST_HEAD(AvahiAddressList, allow_addresses); /**< Allow specific IP addresses to be used for Avahi */
+    AVAHI_LLIST_HEAD(AvahiAddressList, deny_addresses); /**< Deny specific IP addresses to be used for Avahi */
     int publish_hinfo;                /**< Register a HINFO record for the host containing the local OS and CPU type */
     int publish_addresses;            /**< Register A, AAAA and PTR records for all local IP addresses */
     int publish_workstation;          /**< Register a _workstation._tcp service */

avahi-core/iface.c

@@ -698 +698 @@
 
 int avahi_interface_address_is_relevant(AvahiInterfaceAddress *a) {
     AvahiInterfaceAddress *b;
+    AvahiAddressList *l;
     assert(a);
 
+    for (l = a->monitor->server->config.deny_addresses; l; l = l->address_next)
+        if (avahi_address_cmp(&l->address, &a->address) == 0)
+            return 0;
+
+    if (a->monitor->server->config.allow_addresses) {
+
+        for (l = a->monitor->server->config.allow_addresses; l; l = l->address_next)
+            if (avahi_address_cmp(&l->address, &a->address) == 0)
+                goto good;
+
+        return 0;
+    }
+
+good:
     /* Publish public and non-deprecated IP addresses */
     if (a->global_scope && !a->deprecated)
         return 1;

avahi-core/server.c

@@ -1579 +1579 @@
     c->use_ipv4 = 1;
     c->allow_interfaces = NULL;
     c->deny_interfaces = NULL;
+    AVAHI_LLIST_HEAD_INIT(AvahiAddressList, c->allow_addresses);
+    AVAHI_LLIST_HEAD_INIT(AvahiAddressList, c->deny_addresses);
     c->host_name = NULL;
     c->domain_name = NULL;
     c->check_response_ttl = 0;
@@ -1606 +1608 @@
 }
 
 void avahi_server_config_free(AvahiServerConfig *c) {
+    AvahiAddressList *l, *next;
     assert(c);
 
     avahi_free(c->host_name);
@@ -1613 +1616 @@
     avahi_string_list_free(c->browse_domains);
     avahi_string_list_free(c->allow_interfaces);
     avahi_string_list_free(c->deny_interfaces);
+    for (l = c->allow_addresses; l; l = next) {
+        next = l->address_next;
+        avahi_free(l);
+    }
+    for (l = c->deny_addresses; l; l = next) {
+        next = l->address_next;
+        avahi_free(l);
+    }
 }
 
 AvahiServerConfig* avahi_server_config_copy(AvahiServerConfig *ret, const AvahiServerConfig *c) {
     char *d = NULL, *h = NULL;
     AvahiStringList *browse = NULL, *allow = NULL, *deny = NULL;
+    AvahiAddressList *l, *next, *allow_addresses = NULL, *deny_addresses = NULL;
     assert(ret);
     assert(c);
 
@@ -1626 +1638 @@
             return NULL;
 
     if (c->domain_name)
-        if (!(d = avahi_strdup(c->domain_name))) {
-            avahi_free(h);
-            return NULL;
+        if (!(d = avahi_strdup(c->domain_name)))
+            goto clean;
+
+    if (!(browse = avahi_string_list_copy(c->browse_domains)) && c->browse_domains)
+        goto clean;
+
+    if (!(allow = avahi_string_list_copy(c->allow_interfaces)) && c->allow_interfaces)
+        goto clean;
+
+    if (!(deny = avahi_string_list_copy(c->deny_interfaces)) && c->deny_interfaces)
+        goto clean;
+
+    if (c->allow_addresses) {
+        if (!(allow_addresses = avahi_new(AvahiAddressList, 1)))
+            goto clean;
+        AVAHI_LLIST_INIT(AvahiAddressList, address, allow_addresses);
+        for (l = c->allow_addresses; l; l = l->address_next) {
+            if (!(next = avahi_new(AvahiAddressList, 1)))
+                goto clean;
+            AVAHI_LLIST_INIT(AvahiAddressList, address, next);
+            next->address = l->address;
+            AVAHI_LLIST_PREPEND(AvahiAddressList, address, allow_addresses, next);
         }
-
-    if (!(browse = avahi_string_list_copy(c->browse_domains)) && c->browse_domains) {
-        avahi_free(h);
-        avahi_free(d);
-        return NULL;
     }
 
-    if (!(allow = avahi_string_list_copy(c->allow_interfaces)) && c->allow_interfaces) {
-        avahi_string_list_free(browse);
-        avahi_free(h);
-        avahi_free(d);
-        return NULL;
-    }
-
-    if (!(deny = avahi_string_list_copy(c->deny_interfaces)) && c->deny_interfaces) {
-        avahi_string_list_free(allow);
-        avahi_string_list_free(browse);
-        avahi_free(h);
-        avahi_free(d);
-        return NULL;
+    if (c->deny_addresses) {
+        if (!(deny_addresses = avahi_new(AvahiAddressList, 1)))
+            goto clean;
+        AVAHI_LLIST_INIT(AvahiAddressList, address, allow_addresses);
+        for (l = c->deny_addresses; l; l = l->address_next) {
+            if (!(next = avahi_new(AvahiAddressList, 1)))
+                goto clean;
+            AVAHI_LLIST_INIT(AvahiAddressList, address, next);
+            next->address = l->address;
+            AVAHI_LLIST_PREPEND(AvahiAddressList, address, deny_addresses, next);
+        }
     }
 
     *ret = *c;
@@ -1658 +1682 @@
     ret->browse_domains = browse;
     ret->allow_interfaces = allow;
     ret->deny_interfaces = deny;
+    ret->allow_addresses = allow_addresses;
+    ret->deny_addresses = deny_addresses;
 
     return ret;
+
+clean:
+    if (deny_addresses) {
+        for (l = deny_addresses; l; l = next) {
+            next = l->address_next;
+            avahi_free(l);
+        }
+    }
+    if (allow_addresses) {
+        for (l = allow_addresses; l; l = next) {
+            next = l->address_next;
+            avahi_free(l);
+        }
+    }
+    if (deny)
+        avahi_string_list_free(deny);
+    if (allow)
+        avahi_string_list_free(allow);
+    if (browse)
+        avahi_string_list_free(browse);
+    if (h)
+        avahi_free(h);
+    if (d)
+        avahi_free(d);
+    return NULL;
 }
 
 int avahi_server_errno(AvahiServer *s) {

avahi-daemon/avahi-daemon.conf

@@ -26 +26 @@
 use-ipv6=no
 #allow-interfaces=eth0
 #deny-interfaces=eth1
+#allow-addresses=192.168.50.10, 192.168.50.11
+#deny-addresses=192.168.50.20, 192.168.50.21
 #check-response-ttl=no
 #use-iff-running=no
 #enable-dbus=yes

avahi-daemon/main.c

@@ -667 +667 @@
                         c->server_config.deny_interfaces = avahi_string_list_add(c->server_config.deny_interfaces, *t);
 
                     avahi_strfreev(e);
+                } else if (strcasecmp(p->key, "allow-addresses") == 0) {
+                    char **e, **t;
+
+                    e = avahi_split_csv(p->value);
+
+                    for (t = e; *t; t++) {
+                        AvahiAddressList *l = avahi_new(AvahiAddressList, 1);
+                        AVAHI_LLIST_INIT(AvahiAddressList, address, l);
+                        if (!avahi_address_parse(*t, AVAHI_PROTO_UNSPEC, &l->address)) {
+                            avahi_log_error("Invalid allow-addresses setting %s", p->value);
+                            avahi_strfreev(e);
+                            goto finish;
+                        }
+                        AVAHI_LLIST_PREPEND(AvahiAddressList, address, c->server_config.allow_addresses, l);
+                    }
+
+                    avahi_strfreev(e);
+                } else if (strcasecmp(p->key, "deny-addresses") == 0) {
+                    char **e, **t;
+
+                    e = avahi_split_csv(p->value);
+
+                    for (t = e; *t; t++) {
+                        AvahiAddressList *l = avahi_new(AvahiAddressList, 1);
+                        AVAHI_LLIST_INIT(AvahiAddressList, address, l);
+                        if (!avahi_address_parse(*t, AVAHI_PROTO_UNSPEC, &l->address)) {
+                            avahi_log_error("Invalid deny-addresses setting %s", p->value);
+                            avahi_strfreev(e);
+                            goto finish;
+                        }
+                        AVAHI_LLIST_PREPEND(AvahiAddressList, address, c->server_config.deny_addresses, l);
+                    }
+
+                    avahi_strfreev(e);
                 } else if (strcasecmp(p->key, "ratelimit-interval-usec") == 0) {
                     AvahiUsec k;
 

man/avahi-daemon.conf.5.xml.in

@@ -86 +86 @@
     </option>
 
     <option>
+      <p><opt>allow-addresses=</opt> Set a comma separated list of
+      IP addresses that should be used by the avahi-daemon.
+      Traffic on other IP addresses will be ignored. If set to an
+      empty list all local IP addresses on the specified network
+      interfaces will be used.</p>
+    </option>
+
+    <option>
+      <p><opt>deny-addresses=</opt> Set a comma separated list of
+      IP addresses that should be ignored by avahi-daemon. Other
+      not specified IP addresses will be used, unless
+      <opt>allow-addresses=</opt> is set. This option takes
+      precedence over <opt>allow-addresses=</opt>.</p>
+    </option>
+
+    <option>
       <p><opt>check-response-ttl=</opt> Takes a boolean value ("yes"
       or "no"). If set to "yes", an additional security check is
       activated: incoming IP packets will be ignored unless the IP