Theo de Raadt(dera...@openbsd.org) on 2021.08.31 11:09:22 -0600:
> I don't understand -- why would people edit this file?
>
> If this list is in argv, it will be difficult to identify targets using
> ps, because the hostname is way at the end.
Yes.
If we worry about people touching it, rpki-client could write it out to a
tmp file just before running rsync. But i think that can be done when
someone actually shot themself in the foot.
ok for the diff.
> Job Snijders <j...@openbsd.org> wrote:
>
> > Hi,
> >
> > I don't think this should be user configurable.
> >
> > If folks remove entries like "+ *.crl" it breaks things.
> > If folks add entries like "+ *.mp3" it wastes network bandwidth. :-)
> >
> > Let's use "--include" and "--exclude" instead.
> >
> > kind regards,
> >
> > Job
> >
> > On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio Jeker wrote:
> > > RPKI repository can only include a few specific files, everything else is
> > > just ignored and deleted after every fetch. Since openrsync supports
> > > --exclude-file now we can use this to limit what is actually accepted by
> > > the client.
> > >
> > > I used a config file in /etc/rpki instead of using multiple --exclude /
> > > --include arguments. Mostly to keep the execvp argv short.
> > >
> > > What you think?
> > > --
> > > :wq Claudio
> > >
> > > Index: etc/Makefile
> > > ===================================================================
> > > RCS file: /cvs/src/etc/Makefile,v
> > > retrieving revision 1.484
> > > diff -u -p -r1.484 Makefile
> > > --- etc/Makefile 1 May 2021 16:11:07 -0000 1.484
> > > +++ etc/Makefile 31 Aug 2021 12:17:40 -0000
> > > @@ -156,7 +156,7 @@ distribution-etc-root-var: distrib-dirs
> > > ${DESTDIR}/etc/ppp
> > > cd rpki; \
> > > ${INSTALL} -c -o root -g wheel -m 644 \
> > > - afrinic.tal apnic.tal lacnic.tal ripe.tal \
> > > + afrinic.tal apnic.tal lacnic.tal ripe.tal rsync.filter \
> > > ${DESTDIR}/etc/rpki
> > > cd examples; \
> > > ${INSTALL} -c -o root -g wheel -m 644 ${EXAMPLES} \
> > > Index: etc/rpki/rsync.filter
> > > ===================================================================
> > > RCS file: etc/rpki/rsync.filter
> > > diff -N etc/rpki/rsync.filter
> > > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > > +++ etc/rpki/rsync.filter 31 Aug 2021 12:09:24 -0000
> > > @@ -0,0 +1,7 @@
> > > ++ */
> > > ++ *.cer
> > > ++ *.crl
> > > ++ *.gbr
> > > ++ *.mft
> > > ++ *.roa
> > > +- *
> > > Index: usr.sbin/rpki-client/rsync.c
> > > ===================================================================
> > > RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
> > > retrieving revision 1.24
> > > diff -u -p -r1.24 rsync.c
> > > --- usr.sbin/rpki-client/rsync.c 19 Apr 2021 17:04:35 -0000 1.24
> > > +++ usr.sbin/rpki-client/rsync.c 31 Aug 2021 12:17:11 -0000
> > > @@ -279,6 +279,8 @@ proc_rsync(char *prog, char *bind_addr,
> > > args[i++] = "--no-motd";
> > > args[i++] = "--timeout";
> > > args[i++] = "180";
> > > + args[i++] = "--exclude-from";
> > > + args[i++] = "/etc/rpki/rsync.filter";
> > > if (bind_addr != NULL) {
> > > args[i++] = "--address";
> > > args[i++] = (char *)bind_addr;
> > >
> >
>
