On Fri, Jan 8, 2016 at 5:46 PM, Geert Stappers via Syslinux <syslinux at zytor.com> wrote:> On Fri, Jan 08, 2016 at 03:40:37PM -0600, Matt Zagrabelny via Syslinux wrote: >> Greetings, >> >> Is this list (a|the best) place to make feature requests for tftp-hpa? > > Yes, it is. > from email header List-Id: For discussion of Syslinux and tftp-hpa <syslinux.zytor.com>Excellent! ;) I would like to propose a feature request of adding filespace ACLs to tftpd-hpa. Example: I serve data out of /srv/tftp. I only want clients 192.168.1.0/24 to have read access to /srv/tftp/data_1 and only want clients 192.168.2.0/24 to have read access to /srv/tftp/data_2. Configuration: One could create a new config file and command-line option, but I believe it could also be done as an extension to the map-file. Add a new operation letter: c - indicate an extra client field in this rule map-file contents: ec 192.168.1.0/24 ^data_1/ a ^data_1/ ec 192.168.2.0/24 ^data_2/ a ^data_2/ What do you think? Thanks for your consideration. -m
On 01/11/16 08:09, Matt Zagrabelny via Syslinux wrote:> > I would like to propose a feature request of adding filespace ACLs to tftpd-hpa. > > Example: > > I serve data out of /srv/tftp. I only want clients 192.168.1.0/24 to > have read access to /srv/tftp/data_1 and only want clients > 192.168.2.0/24 to have read access to /srv/tftp/data_2. > > Configuration: > > One could create a new config file and command-line option, but I > believe it could also be done as an extension to the map-file. > > Add a new operation letter: > > c - indicate an extra client field in this rule > > map-file contents: > > ec 192.168.1.0/24 ^data_1/ > a ^data_1/ > ec 192.168.2.0/24 ^data_2/ > a ^data_2/ > > What do you think? > > Thanks for your consideration. >This is actually already possible, but it is definitely awkward: r ^ \i/ r ^192\.168\.1\.\[0-9]+/\(/data_1/\) \1 r ^192\.168\.2\.\[0-9]+/\(/data_2/\) \1 a ^/ Permission denied The first rule puts the IP address of the client at the beginning of the file name, and then the ACL rule strip it off if and only if the filename matches. If the IP address is still there when we get to the "a" rule, the filename doesn't start with a / and we reject the request. -hpa
Hi hpa, On Mon, Jan 11, 2016 at 10:28 AM, H. Peter Anvin <hpa at zytor.com> wrote:> On 01/11/16 08:09, Matt Zagrabelny via Syslinux wrote: >> >> I would like to propose a feature request of adding filespace ACLs to tftpd-hpa. >> >> Example: >> >> I serve data out of /srv/tftp. I only want clients 192.168.1.0/24 to >> have read access to /srv/tftp/data_1 and only want clients >> 192.168.2.0/24 to have read access to /srv/tftp/data_2. >> >> Configuration: >> >> One could create a new config file and command-line option, but I >> believe it could also be done as an extension to the map-file. >> >> Add a new operation letter: >> >> c - indicate an extra client field in this rule >> >> map-file contents: >> >> ec 192.168.1.0/24 ^data_1/ >> a ^data_1/ >> ec 192.168.2.0/24 ^data_2/ >> a ^data_2/ >> >> What do you think? >> >> Thanks for your consideration. >> > > This is actually already possible, but it is definitely awkward:Looking at the remapping options I thought that this contortion was a plausible solution, but wasn't sure I wanted to spend the mental energy figuring it out. Thank you for the solution! :) Any desires to make it easier to ACL? A reason being is we drive configs from puppet, both firewall and tftpd-hpa map-file. It is nice if we can use the same string (192.168.1.0/24) in both the iptables template and the map-file template without having to escape the dots of the subnet, or deviate into a regex equivalent of the subnet. Food for thought, perhaps. Thanks again for the help! -m