Theo de Raadt(dera...@openbsd.org) on 2021.08.31 11:09:22 -0600: > I don't understand -- why would people edit this file? > > If this list is in argv, it will be difficult to identify targets using > ps, because the hostname is way at the end.
Yes. If we worry about people touching it, rpki-client could write it out to a tmp file just before running rsync. But i think that can be done when someone actually shot themself in the foot. ok for the diff. > Job Snijders <j...@openbsd.org> wrote: > > > Hi, > > > > I don't think this should be user configurable. > > > > If folks remove entries like "+ *.crl" it breaks things. > > If folks add entries like "+ *.mp3" it wastes network bandwidth. :-) > > > > Let's use "--include" and "--exclude" instead. > > > > kind regards, > > > > Job > > > > On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio Jeker wrote: > > > RPKI repository can only include a few specific files, everything else is > > > just ignored and deleted after every fetch. Since openrsync supports > > > --exclude-file now we can use this to limit what is actually accepted by > > > the client. > > > > > > I used a config file in /etc/rpki instead of using multiple --exclude / > > > --include arguments. Mostly to keep the execvp argv short. > > > > > > What you think? > > > -- > > > :wq Claudio > > > > > > Index: etc/Makefile > > > =================================================================== > > > RCS file: /cvs/src/etc/Makefile,v > > > retrieving revision 1.484 > > > diff -u -p -r1.484 Makefile > > > --- etc/Makefile 1 May 2021 16:11:07 -0000 1.484 > > > +++ etc/Makefile 31 Aug 2021 12:17:40 -0000 > > > @@ -156,7 +156,7 @@ distribution-etc-root-var: distrib-dirs > > > ${DESTDIR}/etc/ppp > > > cd rpki; \ > > > ${INSTALL} -c -o root -g wheel -m 644 \ > > > - afrinic.tal apnic.tal lacnic.tal ripe.tal \ > > > + afrinic.tal apnic.tal lacnic.tal ripe.tal rsync.filter \ > > > ${DESTDIR}/etc/rpki > > > cd examples; \ > > > ${INSTALL} -c -o root -g wheel -m 644 ${EXAMPLES} \ > > > Index: etc/rpki/rsync.filter > > > =================================================================== > > > RCS file: etc/rpki/rsync.filter > > > diff -N etc/rpki/rsync.filter > > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > > +++ etc/rpki/rsync.filter 31 Aug 2021 12:09:24 -0000 > > > @@ -0,0 +1,7 @@ > > > ++ */ > > > ++ *.cer > > > ++ *.crl > > > ++ *.gbr > > > ++ *.mft > > > ++ *.roa > > > +- * > > > Index: usr.sbin/rpki-client/rsync.c > > > =================================================================== > > > RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v > > > retrieving revision 1.24 > > > diff -u -p -r1.24 rsync.c > > > --- usr.sbin/rpki-client/rsync.c 19 Apr 2021 17:04:35 -0000 1.24 > > > +++ usr.sbin/rpki-client/rsync.c 31 Aug 2021 12:17:11 -0000 > > > @@ -279,6 +279,8 @@ proc_rsync(char *prog, char *bind_addr, > > > args[i++] = "--no-motd"; > > > args[i++] = "--timeout"; > > > args[i++] = "180"; > > > + args[i++] = "--exclude-from"; > > > + args[i++] = "/etc/rpki/rsync.filter"; > > > if (bind_addr != NULL) { > > > args[i++] = "--address"; > > > args[i++] = (char *)bind_addr; > > > > > >