Signed-off-by: Alex Bligh <[email protected]>
---
man/nbd-server.5.in.sgml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
nbd-server.c | 8 ++++++
nbdsrv.h | 1 +
3 files changed, 74 insertions(+)
diff --git a/man/nbd-server.5.in.sgml b/man/nbd-server.5.in.sgml
index 8851708..ab5e45c 100644
--- a/man/nbd-server.5.in.sgml
+++ b/man/nbd-server.5.in.sgml
@@ -264,6 +264,57 @@ manpage.1: manpage.sgml
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>keyfile</option></term>
+ <listitem>
+ <para>
+ Optional; string
+ </para>
+ <para>If this option is set, it should contain a path to
+ a PEM format X.509 private key used for TLS negotiation
+ with the client. This option must be set to enable TLS.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>certfile</option></term>
+ <listitem>
+ <para>
+ Optional; string
+ </para>
+ <para>If this option is set, it should contain a path to
+ a PEM format X.509 public certificate used for TLS negotiation
+ with the client. If <option>keyfile</option> is set but
+ <option>certfile</option> is not set, then the server will
+ attempt to read the certificate from the path specified
+ by <option>keyfile</option>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>cacertfile</option></term>
+ <listitem>
+ <para>
+ Optional; string
+ </para>
+ <para>If this option is set, it should contain a path to
+ a PEM format X.509 CA certificate used for validating client
+ certificates supplied by the client. If this option is not
+ set then client certificates will not be checked.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>tlsonly</option></term>
+ <listitem>
+ <para>Optional; boolean.</para>
+ <para>When this option is enabled,
+ <command>nbd-server</command> will only serve exports
+ using the TLS extension. If this option is not supplied,
+ TLS is optional, unless <option>tlsonly</option> is set
+ in the section corresponding to the specific export.
+ In order for TLS to work at all, the <option>keyfile</option>
+ option must be specified in the generic section.</para>
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
@@ -829,6 +880,20 @@ manpage.1: manpage.sgml
</variablelist>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>tlsonly</option></term>
+ <listitem>
+ <para>Optional; boolean.</para>
+ <para>When this option is enabled,
+ <command>nbd-server</command> will only serve the export
+ using the TLS extension. If this option is not supplied,
+ TLS is optional, unless <option>tlsonly</option> is set
+ in the generic section. In order for TLS to work at all,
+ the <option>keyfile</option> option must be specified in
+ the generic section.</para>
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/nbd-server.c b/nbd-server.c
index 4edb883..729156b 100644
--- a/nbd-server.c
+++ b/nbd-server.c
@@ -239,6 +239,9 @@ struct generic_conf {
gchar *modernaddr; /**< address of the modern socket */
gchar *modernport; /**< port of the modern socket */
gchar *unixsock; /**< file name of the unix domain socket */
+ gchar *certfile; /**< certificate file */
+ gchar *keyfile; /**< key file */
+ gchar *cacertfile; /**< CA certificate file */
gint flags; /**< global flags */
gint threads; /**< maximum number of parallel threads we want
to run */
};
@@ -626,6 +629,7 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const
genconf, bool expect_ge
{ "trim", FALSE, PARAM_BOOL, &(s.flags),
F_TRIM },
{ "listenaddr", FALSE, PARAM_STRING, &(s.listenaddr),
0 },
{ "maxconnections", FALSE, PARAM_INT, &(s.max_connections),
0 },
+ { "tlsonly", FALSE, PARAM_BOOL, &(s.flags),
F_TLSONLY },
};
const int lp_size=sizeof(lp)/sizeof(PARAM);
struct generic_conf genconftmp;
@@ -639,6 +643,10 @@ GArray* parse_cfile(gchar* f, struct generic_conf *const
genconf, bool expect_ge
{ "allowlist", FALSE, PARAM_BOOL, &(genconftmp.flags),
F_LIST },
{ "unixsock", FALSE, PARAM_STRING, &(genconftmp.unixsock),
0 },
{ "max_threads", FALSE, PARAM_INT, &(genconftmp.threads),
0 },
+ { "certfile", FALSE, PARAM_STRING, &(genconftmp.certfile),
0 },
+ { "keyfile", FALSE, PARAM_STRING, &(genconftmp.keyfile),
0 },
+ { "cacertfile", FALSE, PARAM_STRING,
&(genconftmp.cacertfile), 0 },
+ { "tlsonly", FALSE, PARAM_BOOL, &(genconftmp.flags),
F_TLSONLY },
};
PARAM* p=gp;
int p_size=sizeof(gp)/sizeof(PARAM);
diff --git a/nbdsrv.h b/nbdsrv.h
index f3be738..fefd063 100644
--- a/nbdsrv.h
+++ b/nbdsrv.h
@@ -141,6 +141,7 @@ typedef enum {
#define F_TRIM 2048 /**< Whether server wants TRIM (discard) to be sent
by the client */
#define F_FIXED 4096 /**< Client supports fixed new-style protocol (and
can thus send us extra options */
#define F_TREEFILES 8192 /**< flag to tell us a file is exported using
-t */
+#define F_TLSONLY 16384 /**< Whether export should be TLS only */
/* Functions */
--
1.9.1
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Nbd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nbd-general
